Check out this article..
http://www.cio.com/article/102751/Your_Guide_To_Good_Enough_Compliance?page=5&taxonomyId=1419
What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.
1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?
What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations."
According to this paragraph 32% of organizations admit to not being compliant with state privacy laws. The only way to be non-compliant with those laws is to have a breach and not disclose it properly right? That is a significant number of unreported breaches.
Well, at least Myspace did the right thing this past April. Check out their disclosure on April 16th, 2009.
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.cio.com/article/102751/Your_Guide_To_Good_Enough_Compliance?page=5&taxonomyId=1419
What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.
1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?
What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations."
According to this paragraph 32% of organizations admit to not being compliant with state privacy laws. The only way to be non-compliant with those laws is to have a breach and not disclose it properly right? That is a significant number of unreported breaches.
Well, at least Myspace did the right thing this past April. Check out their disclosure on April 16th, 2009.
http://www.privacyrights.org/ar/ChronDataBreaches.htm