Over the last few years and months, there have been many

reported incidents in which confidential information relating to customers or

employees has been leaked, stolen or lost. Various legislation ties to set standards

for how data should be collected, stored, and accessed—including the Data

Protection Act, Human Rights Act (in the UK), and other industry-specific

regulations. These standards define which activities are allowed and who is

authorised to carry them out. It’s important to define a clear information

security policy for your organization, particularly if you are in the financial

services sector.

The security of information can be breached in any number of

ways be it via hostile attack (hacking or physical theft), sloppy handling

(lost tapes or memory sticks), or leaking via an insider. Ensuring the security

of information not only needs to consider the risk of data theft but also loss

of integrity—information held by a company is a valuable asset which needs to

be protected from human error, hardware failures, and other potential

disasters. The loss or theft of sensitive information (such as customer

records, financial information, and employee data) can be a major embarrassment

to a firm—a few examples of data lost recently along with the number of people

potentially opened up to fraud/identity theft (thanks to privacyrights.org):

  • Feb.
    25 , 2005 – Bank of America – Lost backup tape – 1,200,000 exposed
  • June
    6, 2005 – CitiFinancial Lost backup tapes – 3,900,000 exposed
  • June
    16, 2005 – CardSystems – Hacking – 40,000,000 exposed
  • Mar.

    2, 2006 – Hamilton County Clerk of Courts (OH) – SSNs, other personal data

    of residents posted on county web site, were stolen and used to commit

    identity theft -1,300,000 exposed

  • May

    22, 2006 – Dept. of


    Veterans Affairs (Washington, DC) data of all American veterans who

    were discharged since 1975 including names, Social Security numbers, dates

    of birth and in many cases phone numbers and addresses, were stolen from a

    VA employee’s home – 28,000,000+ exposed

  • June 1, 2006 – Ernst & Young (UK) – A laptop

    containing names, addresses, and credit or debit card information of Hotels.com

    customers was stolen from an employee’s car in Texas – 243,000 exposed

  • June 14, 2006 – American Insurance Group (AIG) –

    The computer server was stolen on March 31 containing personal information

    including names, Social Security numbers and tens of thousands of medical

    records – 930,000 exposed

So what are the aims of defining a policy and what are the

consequences of its creation? There are two core principles behind the

definition of a security policy—the first is to define the relationship between

privilege and responsibility. Staff should clearly understand what is and what

is not allowed; the responsibilities which come with privilege must be defined

in clear guidelines. The second function of this policy will ensure that a firm

can react in an appropriate manner should any incident occur.

Next week I’ll take a look at what should be detailed

within a security policy and the various aspects of information security. If

you have any comments or suggestions—maybe experiences from drafting your own

security policies—then why not leave a comment and share your knowledge?