Editor's Desk - Information Security Magazine


	Home > Information Security Magazine > Columns > Editor's Desk

LICENSING & REPRINTS

Information Security Magazine

FEATURES

COLUMNS

HOT PICK & PRODUCT REVIEWS

ARCHIVES

SUBSCRIBE/RENEW

Editor's Desk

by Kelley Damore

Issue: Nov 2006


		printer-friendly

		licensing & reprints

The ways in which you protect your corporate data can be the difference between keeping your job and going to jail. Take it from HP.

By now you've heard about the HP imbroglio in which its chairwoman Patricia Dunn was forced to step down when it became public that HP used pretexting—obtaining phone records under false pretenses—to identify who leaked confidential information to reporters.

This corporate tale teaches security professionals a valuable lesson: The intersection of compliance, insider threats and data privacy laws conspires to pressure a security professional to walk the line—and perhaps cross it—in an effort to protect sensitive information from leaving a corporation.

Technology makes it easy to get such information, whether through pretexting, Trojans, email tracers or some other means. The question is how far will companies (or you) go to protect or seek information under the guise of regulations?

The motivation behind Sarbanes-Oxley was to create checks and balances to ensure that another "Enron" would not occur. Ironically, in the case of HP, it created a rationalization for the company to do something that has been deemed illegal.

Under Sarbanes-Oxley, publicly traded companies have the legal responsibility to respect one's privacy—but they also have the legal and fiduciary responsibility to protect confidential information and investigate leaks. In HP's case, the company crossed the line: An executive got Social Security numbers from HP's records and passed them on to an investigator to commit fraud. But other cases in corporate boardrooms may not be so clear.

Add privacy to the mix and it gets even murkier. Looking at company phone records and emails is fairly common and generally accepted. Different countries and different cultures have different thresholds and expectations when it comes to privacy.

The problem is that there are sometimes subtle distinctions between legal and illegal and ethical and unethical. Is it illegal to be dishonest? Do the means justify the ends?

In the HP case, an employee knowingly passed on privileged information. In other cases, an employee unwittingly passes on sensitive information to an outsider.

The insider threat problem is a scenario that keeps CISOs up at night. As our Security 7 winner Craig Shumard recently put it: "We've only looked at the tip of the iceberg." In fact, our recent research on priorities for 2007 shows that insider threats are a top concern among security professionals. But how a CISO approaches or solves the problem can be the difference between you keeping your job and getting fired.

The HP scandal sounds eerily familiar. The methods that HP used are really nothing other than Kevin Mitnick's social engineering approach. Mitnick served five years in jail for his tactics. Should Dunn and her cohorts face a similar fate?

TechTarget Security Media

Information Security

View this month\\'s issue and subscribe today.

Information Security Decisions

Apply online for free conference admission.

SearchSecurity.com

SEARCH :

Advanced Search | Site Index

Powered by:

About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy