Bruce Schneier’s last cryptogram contained a discussion about the purpose of audit. He was commenting on the fact that Barack Obama’s phone records, passport file and aunt’s immigration status was inappropriately accessed by employees of the State Department, Immigration and Verizon employees.
Because of good audit controls, the State Department electronic monitoring alerted supervisors when information was inappropriately accessed. Verizon fared less well, and Immigration has no idea who accessed the information.
“Audit helps ensure that people don’t abuse positions of trust.” Too bad Countrywide didn’t have such alarms in place to catch the guy siphoning off information to sell. Or the guy who walked out the building with hundreds of thousands of dollars of hardware over the course of 10 years.
With hard statistics this year that insiders, either by ignorance or malfeasance, have been a large source of data breaches, having good audit trails and controls in place makes more and more sense.
With so many large databases out there holding such private information, how can we continue to pretend that it only happens to other businesses? And complaints about the cost of security just aren’t cutting it anymore. The incredible COST of a data breach just keeps rising.
Pointing fingers and saying the other guy should be responsible for security doesn’t work either. Ultimately, responsibility rests with those who have the data to safeguard the data – no matter what form it takes: inside a database, on a backup tape, on a laptop, on a web server.
If we’re going to use personal information to make money for our business, we’d better be prepared to protect that information – from ourselves and other employees.