Security Pie

Ok – so this stuff bugs me. Whenever a company sets up standards for others to live by but fails to live up to the same standards themselves I get annoyed. Amex is the “bully” in point.

See http://www.kpho.com/money/19936013/detail.html for a story in which two guys who worked at Amex were able to abscond with “thousands” of credit card number and “millions” of customer dollars.

I have two Amex cards. So I went to the Amex website to figure out if my card was somehow exposed. NADA. Not a single word anywhere on the site (perhaps I missed it?).

What is the use of PCI if one of the three card peddlers (Visa and Mastercard being the other two) reflect an attitude of indifference towards protecting MY data.

Wake up Amex CEO: Kenneth I. Chenault. I entrust you with my data. It is time for you to protect it! Mighty nice of you to harrass others with odd PCI requirements. Perhaps it is time you pass a PCI audit yourself.

/al

Here’s some very interesting reading material. I must admit that I was not aware of all the Federal policies to govern and protect IT systems and data in private sector companies. Below you can read the summary of the United States Government Accountability Office GAO-08-1075R.

More important, this document lists some of the penalties and enforcement options that the Feds can use.

Summary of Federal Requirements for Securing Privately Owned IT Systems and Data

Federal policy identifies 18 infrastructure sectors–such as banking and finance, energy, public health and healthcare, and telecommunications–that are critical to the nation’s security, economy, public health, and safety. Because these sectors rely extensively on computerized information systems and electronic data, it is crucial that the security of these systems and data is maintained. Further, because most of these infrastructures are owned by the private sector, it is imperative that public and private entities work together to protect these assets. The federal government uses both voluntary partnerships with private industry and requirements in federal laws, regulations, and mandatory standards to assist in the security of privately owned information technology (IT) systems and data within critical infrastructure sectors. As agreed, our objectives were to (1) identify, for each critical infrastructure sector, the federal laws, regulations, and mandatory standards that pertain to securing that sector’s privately owned IT systems and data and (2) identify enforcement mechanisms for each of the above laws, regulations, and mandatory standards.
Read the rest of this entry »