Comments on: ChoicePoint CISO says breach not an information security issue

By: infosafety

infosafety — Tue, 08 Mar 2005 19:10:38 +0000

This could get even more interesting, as it now involves a class action lawsuit.
http://www.righettilaw.com/cases/case.php?case=Choicepoint

Craig Herberg

By: imaginetsecurity

imaginetsecurity — Fri, 25 Feb 2005 11:26:27 +0000

This is a procedural breakdown of their entire process, not just as InfoSec is concerned. A business process had holes in it that were exploited, not a network system or device that was exploited. The violators came into the system appearing to be legitimate businesses, using social engineering to produce fraudulent business licenses and other documents. These were not scrutinized well enough to prevent these persons from being given access as if they were any other legitimate customer.

The CISO is no more culpable than the other executives in the company. All of them have the responsibility to ensure that their business processes and network systems are protecting against and are frequently audited for just such procedural vulnerabilities. This is not hacking but a business process and they applied their policies appropriately but we all see now that those policies were inadequate against fraudulent applications. I am sure that their procedures and policies will be tightened down far more and will include background checks on all applicants, verification of legitimate business licenses and other documents, before a customer is granted access to the information.

Is a bank CIO/CISO responsible for the business procedures of accepting a new checking account application resulting in a fraudulent account that kites checks? No. Should that CIO/CISO have input into the processes to prevent social engineering? Yes.

By: jonboy2001

jonboy2001 — Fri, 25 Feb 2005 11:11:23 +0000

Don’t you think everyone in the organization should bear soome responsibility for fraud — not just the security team. After all, there’s a human element to securing systems. If people let fraud occur, the best laid policies won’t work.

I say everyone should back off this guy. People in glass houses shouldn’t throw stones.

By: merlot

merlot — Fri, 25 Feb 2005 10:24:29 +0000

Sounds like the CISO is whistling past the graveyard.

By: infosafety

infosafety — Fri, 25 Feb 2005 08:36:44 +0000

Information security includes preventing unauthorized and/or inappropriate access. Perhaps a review of their authorization policies along with a look at what they consider “appropriate” is in order. . .

Craig Herberg

By: sonotsky

sonotsky — Fri, 25 Feb 2005 07:40:08 +0000

Theft of information from *any* system – paper, electronic, engraved on stone tablets – is a result of poor information security practices.

It’s quite simple: information – private customer data – was supposed to remain private and protected – there’s the security part. When the information was allowed outside of the secure environment, that’s failure on InfoSec’s part.

Sounds a lot like someone who knows they’re in deep trouble and trying to spin the facts in order to keep their cushy job.

But that’s just my opinion, and dammit, I’m entitled to it.