On Tue, Feb 17, 2015 at 8:42 AM, Edward Ned Harvey (lopser) <
[email protected]> wrote:
> I see a lot of people and businesses out there, that just don't care about
> their own privacy. They email passwords to each other, W2's with salary
> and social security information, photocopies of drivers' licenses and
> passports to be used by HR to complete I-9 forms...
>
>
>
> As an IT person advising a business to be more responsible, what areas do
> you advocate securing most urgently? IT admin credentials? HR records?
> Financial records? Other stuff? Simply everything, bar none?
>
>
>
> Email is obviously a huge area of insecure information sharing. Do you
> also see a lot of people storing information that should be secured in
> other non-private services like Dropbox, Google Drive, Box, etc?
>
I think of IT's role as helping the business better understand these risks
and the costs* of mitigating these risks. (*Cost includes reputation
costs.) To do that you need to understand the risks yourself and be able to
educate others who are interested.
For example, people don't always understand that PCI violations can cause
financial penalties including additional surcharges, or that gross HIPAA
violations can be $50k/record, or that many governments have rules about
PII that at a minimum are going to cost $10-20/person for credit protection.
As stated, it's good to come with solutions in hand, e.g. "if we use system
A for a cost of $X then we won't {have a potential risk of $Y,show up in
the news}."
Yours,
John B.
--
John Borwick
University Libraries IT Services Director
Virginia Tech
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
