twitter facebook rss

Governance the often-missing piece of Information Security

Posted by on March 12, 2016.

In the report, What does Information Security have in common with Eastern Air Lines Flight 401? – I posit that one byproduct of professionalizing Information Security will be elevating it to the board level where it belongs.

I also wrote the following:

“…it is no longer adequate that organizations secure only “their” network. Vendors, suppliers, partners, customers, or any entity connected with the company electronically can become a potential point of vulnerability.”

It seems AT&T learned that lesson last year when it agreed to pay $25 million to settle an investigation into data breaches at call centers in Mexico, Colombia and the Philippines. Those breaches led to the disclosure of personal information on some 280,000 U.S. customers. From November 2013 until April 2014, three call center employees were paid to provide the names and at least the last four digits of Social Security numbers for more than 68,000 U.S. customers. During the investigation, the FCC learned that there were similar data breaches at call centers in Colombia and the Philippines involving the personal information of about 211,000 U.S. customers.

Paul Shomo writing this month in the article Why Marrying Infosec & Info Governance Boosts Security Capabilities, made the following comment:

“The uncertainty over U.S. legal penalties and new EU privacy regulations are driving a new Information Governance (IG) market. These IG folks will soon appear in new positions, such as chief information governance officer (CIGO), or other titles with the acronym IG. Their mission will be tracking, regulating, and enforcing sensitive data policies.”

The sad part is Information Governance is already a part of Information Security and the voluminous variants of Information Security Standards. Yet the Information Security profession, by not professionalizing, is still hoping this type of integration can happen from a corner of the IT department. If Paul is correct, IG will not be coming from Information Security, but from yet another layer of management. This one will come Top-Down unlike the current Bottom-Up flavor of most Information Security offices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Martin Zinaich | Tags: ,