It’s Not Just For Card Data Any More
- Wednesday, November 11, 2009, 15:09
- Legal & Regulatory
With all of the recent fuss about PCI requirements and how to protect payment cards, many companies have opted to take a far too narrow view of data protection. The PCI rules are absolutely designed to only apply to payment cards, but the same common-sense security guidelines will also dramatically help the security of CRM databases, personnel files, E-mail servers, payroll details, and even the full contents of your Web site.
Overworked IT executives suffering from staff cuts find checklist security quite comforting. The checklist mentality says that nothing should be done that isn’t mandated. And there are no external rules protecting data, beyond payment card, health-related information and some investment data. Is this wise?
This month, a frightening answer to that question came in the form of an E-mail exchange that a reader enjoyed. The reader—a security consultant—got a panicked call seeking a forensic expert. A large amount of important data had been stolen and they hadn’t been doing backups of that content. Even worse, they couldn’t even try and piece together what the intruders had stolen because of a logging problem. To quote the victim: “We can’t recover it, because it’s wasn’t backed up, and it wasn’t logging because it wasn’t on the part of the SAN where logging occurs.” Uh-oh.
Our reader said that he figured the data couldn’t have been close to mission-critical, given
Continue reading...