I also wrote the following:
“...it is no longer adequate that
organizations secure only “their” network. Vendors, suppliers, partners,
customers, or any entity connected with the company electronically can become a
potential point of vulnerability.”
It seems AT&T learned that lesson last year when it agreed
to pay $25 million to settle an investigation into data breaches at
call centers in Mexico, Colombia and the Philippines. Those breaches led to the
disclosure of personal information on some 280,000 U.S. customers. From
November 2013 until April 2014, three call center employees were paid to
provide the names and at least the last four digits of Social Security numbers
for more than 68,000 U.S. customers. During the investigation, the FCC learned
that there were similar data breaches at call centers in Colombia and the
Philippines involving the personal information of about 211,000 U.S. customers.
Paul Shomo
writing this month in the article Why
Marrying Infosec & Info Governance Boosts Security Capabilities,
made the following comment:
“The uncertainty over U.S. legal
penalties and new EU privacy regulations are driving a new Information Governance
(IG) market. These IG folks will soon appear in new positions, such as chief
information governance officer (CIGO), or other titles with the acronym IG.
Their mission will be tracking, regulating, and enforcing sensitive data
policies.”
The sad part is Information Governance is already a part of
Information Security and the voluminous variants of Information Security
Standards. Yet the Information Security profession, by not professionalizing, is
still hoping this type of integration can happen from a corner of the IT
department. If Paul is correct, IG will not be coming from Information
Security, but from yet another layer of management. This one will come Top-Down
unlike the current Bottom-Up flavor of most Information Security
offices.