[ISN] Security driven by compliance, rather than protection

From: InfoSec News <alerts_at_private>
Date: Tue, 6 Apr 2010 01:48:44 -0500 (CDT)
http://news.cnet.com/8301-13846_3-10472754-62.html

By Dave Rosenberg
Software, Interrupted 
CNET News
April 5, 2010

A new report by Forrester Research, commissioned by Microsoft and RSA, 
the security division of EMC, found that even though corporate 
intellectual property comprises 62 percent of a given company's data 
assets, security programs are focused on compliance rather than data 
protection.

The report highlights a number of key findings, that provide a number of 
things to think about if you are remotely involved in the security of 
corporate data:

    * Secrets comprise two-thirds of the value of firms' information 
      portfolios
    * Compliance, not security, drives security budgets
    * Firms focus on preventing accidents, but theft is where the money 
      is
    * The more valuable a firm's information, the more incidents it will 
      have
    * CISOs do not know how effective their security controls actually 
      are

According to Forrester, corporate security programs are typically 
divided into two main categories of data types to protect: secrets and 
custodial data.

Secrets--that can confer long-term competitive advantage such as product 
plans, earnings forecasts, and trade secrets.

    Secrets refer to information that the enterprise creates and wishes 
    to keep under wraps. Secrets tend to be messily and abstractly 
    described in Word documents, embedded in presentations, and 
    enshrined in application-specific formats like CAD.

Custodial data--which includes customer, medical, and payment card 
information that becomes "toxic" when spilled or stolen.

    Custodial data has little intrinsic value in and of itself. But when 
    it is obtained by an unauthorized party, misused, lost, or stolen, 
    it changes state. Data that is ordinarily benign transforms into 
    something harmful. When custodial data is spilled, it becomes 
    "toxic" and poisons the enterprise's air in terms of press 
    headlines, fines, and customer complaints. Outsiders, such as 
    organized criminals, value custodial data because they can make 
    money with it. Custodial data also accrues indirect value to the 
    enterprise based on the costs of fines, lawsuits, and adverse 
    publicity.

[...]


___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
http://conference.hitb.org/hitbsecconf2010dxb/
Received on Mon Apr 05 2010 - 23:48:44 PDT

This archive was generated by hypermail 2.2.0 : Mon Apr 05 2010 - 23:58:33 PDT