Forwarded from: Mark Bernard <Mark.Bernard@private> Dear Associates, The recent massive, 600k record, loss of private information by Time Warner truly highlights a threat that every company could be susceptible too. Every business that I've ever worked including Government, Pharmaceutical, Insurance, Banking and even Manufacturing utilizes off site storage, which could prove to be the next weakest link in the chain of information ownership/custodianship. At one time data encryption would never have been considered due to costs, but now that systems are cheaper and more powerful I don't see why it wouldn't be a serious consideration. Of course encryption keys also need to be managed for the future hence Identity Management. Encryption may not an absolute solution, but its a great alternative and most importantly it mitigates risk. The next operational areas to consider with a similar risk exposure to backup media would be hot sites, which handle live data over live communications lines, and development systems where un-sanitized data may be used for testing. It many cases development is handled by third-parties sometimes off shore increasing the exposure rate to these vulnerabilities. Recently I reviewed a Systems Development Department that used a prototyping promotion process. The prototyping promotion process is generally used to speed up the development-to-production time while attempting to reduce errors further improving on quality and reducing operational expenses. Unlike the more traditional and more expensive systems development process that actually utilizes a segregated development environment, the prototype environment allows application programmers to have access to live data and usually live production systems. Hot sites are just that they typically maintain mirrored or duplicate transactions against a full production system. Since a hot site is usually hidden away in an unmarked sometimes unmanned building security precautions may be reduced from that of the production environment. That being said, it could be possible for staff or maintenance people to have access to information otherwise guarded. There are many risks that need to be considered once information assets become digitized. Food for thought !! Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@private Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." ----- Original Message ----- From: "InfoSec News" <isn@private> To: <isn@private> Sent: Wednesday, May 04, 2005 3:37 AM Subject: [ISN] Time Warner says data on 600,000 workers lost > http://www.computerworld.com/securitytopics/security/story/0,10801,101500,00.html > > By Lucas Mearian > MAY 02, 2005 > COMPUTERWORLD > > Time Warner Inc. reported today that a shipment of backup tapes with > personal information of about 600,000 current and former employees > went missing more than a month ago during a routine shipment to an > offsite storage site. > > The tapes, part of a routine shipment being taken to the site by > off-site data storage company Iron Mountain Inc. didn't include data > about Time Warner customers, the company said in a statement. > > The company told employees today that the data tapes went missing > March 22. > > We are providing current and former employees with resources to > monitor their credit reports while our investigation continues. We > are working closely and aggressively with law enforcement and the > outside data storage firm to get to the bottom of this matter,. said > Larry Cockell, Time Warner.s chief security officer. > > The U.S. Secret Service is working with both Time Warner and > Boston-based Iron Mountain to investigate the missing tapes. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sat May 14 2005 - 12:26:25 PDT