|
|
||
|
|
|
|
||
Washington's
New Data Security Law; Information Ownership and Control |
||
|
SECURITY INDUSTRY WATCH Washington's New Security Breach Notification Law Joining California and several other states, Washington now has its own security breach notification law. The new law requires government agencies and "any person or business that does business in this state" and "owns or licenses computerized data that includes personal information," to "disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state (Washington) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Simply stated, businesses can no longer keep security breaches a secret. Washington defines "personal information" as follows: * Person's last name * Person's first name or initial * Any of the following, along with an access code or password: - Social Security number - Driver's license or state identification number - Account, credit card, or debit card number In the event of a security breach, any government agency, person, or business doing business in Washington must notify persons whose information was compromised in writing, according to procedures in the organization's security policy. In some cases the organization is required to notify major statewide media. If the information compromised in a security breach is encrypted, no notification need take place. This new law, like the similar the one in California, is prompting organizations to strengthen their security lest they be the next company facing negative publicity, lawsuits, falling stock prices, etc. But knowing what to do and how to prioritize actions is difficult unless the risks of data compromise are known. BUILDING YOUR INFORMATION SECURITY PROGRAM Part of a multi-part series Part 2, Information Ownership and Control Corporate information in any form should be accessible only to those individuals whose business function requires it. Never has this been truer than in businesses that are supported by electronic information systems. Businesses that are connected to the Internet risk disclosure of information not only to unauthorized employees, but to anyone on the Internet. Without adequate control over access to business information, the risk of loss is great. The limitation of access to information requires decisions: which individuals and groups have access to information objects. These decisions require a decision maker. Who should the decision maker be? In many organizations, this falls onto the IT Department. On the surface this makes sense, since IT is managing the information system that houses the information. But beyond being responsible, IT is not the department responsible for the business function related to the information; IT is only the steward. The real owner of the information is not IT, but the department that is responsible for the function associated with the information. This department or, rather, a responsible individual in this department, should be making access decisions for its electronic information. That said, in many cases it is the IT Department that manages the access controls for information. But, IT should be managing access controls not according to its own judgment, but according to the information owner's directives. Depending upon many factors, the information owner may need to be involved in every access control decision, or perhaps the information owner can define business rules so that IT can make access decisions on behalf of the owner without having to involve the owner every time. All of the information stored in electronic information systems should have designated owners who will make access control decisions, as well as other decisions about its information. IT should be able to readily determine the owner for given sets of information, perhaps in a document that lists sets of information and their respective owners. TERM OF THE MONTH Access Control List: a list of users and groups of users who are permitted to access given units of information. An access control list will also specify what a user is permitted to do with information: read only, modify, and remove. SUBSCRIPTION INFORMATION Subscribe: newsletters/ Unsubscribe: newsletters/ Please allow 48 hours to process all subscription requests. Contact us via e-mail at info@vantagepointsecurity.com or call us at 425.454.5455. |
|
|
||
safeguarding
the integrity of business information™ |
||
| Copyright
© 2002-2006 VantagePoint Security LLC | Terms
of Use | Privacy
Policy | Contact
Us | Site Map
|
||