As of July 20, 2011 there are 315 reported data security breaches in 2011.

Every day I open my email inbox to find hundreds of new articles, news, breach alerts, etc. With the variety of content and information pouring in, it is always nice to see something that stands out. A new article on Network World titled “Are we getting too much information about data breaches?” written by Paul McNamara, caught my attention. In the article, Paul mentions a data security breach of 2,000 patients at Beth Israel Deaconess Medical Center.

Paul clearly states that he is not suggesting that the hospital shouldn’t have told its patients what happened. He is just not sure what usefulness the notifications provide for the patients.

While he might be right that having the patients notified about the breach won’t do them any good, at the same time, it does help prevent problems in the future. Why?

When a data breach notification is made public, it gives an opportunity for information security companies to take a look at what happened. By examining a breach, preventive measures, controls and new procedures can be implemented so as to reduce the likelihood of a recurrence in the future. At the end of Paul’s article, he asks “So what are these 2,021 radiology patients left to do with this concerning information?” and answers his own question by stating “Except Worry”.

My suggestion for any company experiencing a data security breach would be to pursue Database Security Testing, a Vulnerability Assessment and Penetration Test. If an application is involved, then an Application Security Assessment would also be advised. If you already know a weak point, take care of it before something else happens.

In addition, I recommend informing the customer that you (the company) are engaging with a third-party information security assessment company so their personally identifiable information is further protected. A simple note to your customers could ease their worry.

Sony is an example of a company that took immediate action addressing their security issues, in addition to notifying customers, after the PlayStation Network security breach.

In the end, as a company experiencing a data security breach, take the appropriate steps to improve your information security management system.

Scott

The Beth Israel Deaconess Medical Center Data Security Breach:

A vendor failed to restore computer security controls following routine maintenance. A virus was later discovered on a computer that contained names, medical record numbers, genders, dates of birth, and the date and name of radiology procedures for patients. The virus transmitted encrypted data files to an unknown location. The computer was cleaned and had its software re-installed to clear the virus. source: privacyrights.org

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information