IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Weak Principle Controls are Cause of Security Breaches

February 4th, 2008 · No Comments

Remediation and corrective action are part of the lessons learned when a negative event (security breach, fraud, etc…) occurs within an organization.  It is regarded as best practice to learn from one’s own mistakes, and an even better practice to learn from OTHER’s mistakes.  In either case understanding what controls may address the situation on hand is essential to improving and maintaining a operational effective control environment.

In the case of security breaches, a topic I cover extensively at PCI DSS & IT Controls Explained, the essential attack sources tend to be the cause of a few basic controls.  The majority of control weaknesses stem from the following controls:

  • Data Classification
  • Information Handling
  • Information Awareness and Education
  • Physical Access Controls (backup drives, laptops, PDA, and such devices are prone to exploitation)
  • Logical Access Controls (Such as restrictions of data on public systems, and integrity of payment systems)

This analysis is based on a review of the past breaches found at the Privacy Clearinghouse site, and was composed and presented to Georgia State University by Taiye Lambo.  The effort they conducted highlights the importance of specific controls, and emphasizes the need to learn from these events.  The reports that align each breach with the regulatory impact (mostly focused on the most widely recognized – PCI, SB1386) and the ISO27001 Subsections are here and here for convenience)

Please check out this resource and others available for free at Educause – a great resource that should be leveraged as part of cross-industry collaboration.

Best,

James DeLuccia

Tags: Access and Authorization · Identity Theft · iso27001 · Logical Access · PCI · Physical Access · Risk Awareness · Technology Intelligence

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment