ChoicePoint CISO says breach not an information security issue

pts.
Tags:
Compliance
CRM
Disaster Recovery
Policies
Risk management
Security
Security Program Management
The CISO of ChoicePoint says the theft of private information on 145,000 from its databases isn't an information security issue because conmen used fraud, not hacking tools or techniques, to get the information. Anyone agree with that? Check it out: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1062076,00.html

Answer Wiki

Thanks. We'll let you know when a new response is added.

I absolutely do NOT agree with that.

The biggest vulnerability in Information Security is human behavior. Period.

If Choicepoint’s Information Security plan does not include user training in information security (a fairly common thing nowadays), then their InfoSec policies and practices are flawed, and need remediation.

Bob

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Sonotsky
    Theft of information from *any* system - paper, electronic, engraved on stone tablets - is a result of poor information security practices. It's quite simple: information - private customer data - was supposed to remain private and protected - there's the security part. When the information was allowed outside of the secure environment, that's failure on InfoSec's part. Sounds a lot like someone who knows they're in deep trouble and trying to spin the facts in order to keep their cushy job. But that's just my opinion, and dammit, I'm entitled to it.
    695 pointsBadges:
    report
  • InfoSafety
    Information security includes preventing unauthorized and/or inappropriate access. Perhaps a review of their authorization policies along with a look at what they consider "appropriate" is in order. . . Craig Herberg
    75 pointsBadges:
    report
  • Merlot
    Sounds like the CISO is whistling past the graveyard.
    0 pointsBadges:
    report
  • Jon Panker
    Don't you think everyone in the organization should bear soome responsibility for fraud -- not just the security team. After all, there's a human element to securing systems. If people let fraud occur, the best laid policies won't work. I say everyone should back off this guy. People in glass houses shouldn't throw stones.
    1,090 pointsBadges:
    report
  • Imaginetsecurity
    This is a procedural breakdown of their entire process, not just as InfoSec is concerned. A business process had holes in it that were exploited, not a network system or device that was exploited. The violators came into the system appearing to be legitimate businesses, using social engineering to produce fraudulent business licenses and other documents. These were not scrutinized well enough to prevent these persons from being given access as if they were any other legitimate customer. The CISO is no more culpable than the other executives in the company. All of them have the responsibility to ensure that their business processes and network systems are protecting against and are frequently audited for just such procedural vulnerabilities. This is not hacking but a business process and they applied their policies appropriately but we all see now that those policies were inadequate against fraudulent applications. I am sure that their procedures and policies will be tightened down far more and will include background checks on all applicants, verification of legitimate business licenses and other documents, before a customer is granted access to the information. Is a bank CIO/CISO responsible for the business procedures of accepting a new checking account application resulting in a fraudulent account that kites checks? No. Should that CIO/CISO have input into the processes to prevent social engineering? Yes.
    15 pointsBadges:
    report
  • InfoSafety
    This could get even more interesting, as it now involves a class action lawsuit. http://www.righettilaw.com/cases/case.php?case=Choicepoint Craig Herberg
    75 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following