With any project involving IT assets, there is a process to have the plan/process approved. This procedure is in place to keep the appropriate parties knowledgeable of on-going projects, vetting the projects for applicability, alternatives that may be better suited, and to ensure InfoSec is applied early on. Without the review and approval process in place and utilized, there can be relatively serious issues. This is especially the case where the jurisdiction has privacy and breach laws, such as in New York, California, and the EU.
Greenwich University experienced this issue recently. One of the University's departments decided to create a website, without the University's knowledge, review, oversight, guidance, and approval. Although this in itself is an issue, the issue became much worse. The department decided it was fine to post, without applying InfoSec, the affected party's name, addresses, date of birth, phone number, signature, and in a portion of the instances, the person's physical and mental health issues.
The intent was to use the data for a training conference. This affected 19,500 students. This website should not have been created and personal data put on this without having the request and implementation reviewed through the process. Unfortunately, as a direct result of this, there was a security breach, and data was compromised. The University, located in the UK, was fined 120K British Sterlingor $160K USD (http://www.ehackingnews.com/2018/05/greenwich-university-fined-120000-for.html)
When an organization collects data from third parties, the collector becomes the steward of the data and is responsible for its security. When approved processes aren't followed, generally significant issues follow. The standard operating procedures at an organization have been put in place for a clear, rationale reason and should always be adhered to. Rules are in place for a reason and should be followed and apply InfoSec as part of the SOP.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!