Check out this article..
What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.
1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?
What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations."
According to this paragraph 32% of organizations admit to not being compliant with state privacy laws. The only way to be non-compliant with those laws is to have a breach and not disclose it properly right? That is a significant number of unreported breaches.
Well, at least Myspace did the right thing this past April. Check out their disclosure on April 16th, 2009.
Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.
Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org