With any project involving IT assets, there is a process to have the plan/process approved. This procedure is in place to keep the appropriate parties knowledgeable of on-going projects, vetting the projects for applicablility, alternatives that may be better suited, and to ensure InfoSec is applied early on. Without the review and approval process in place and utilized, there can be relatively serious issues. This is especially the case where the jurisdiction has privacy and breach laws, such as in New York, California, and the EU.
Greenwich University experienced this issue recently. One of the University's departments decided to create a website, without the University's knowledge, review, oversight, guidance, and approval. Although this in itself is an issue, the issue became much worse. The department decided it was fine to post, without applying InfoSec, the affected party's name, addresses, date of birth, phone number, signature, and in a portion of the instances, the person's physical and mental health issues.
The intent was to use the data for a training conference. This affected 19,500 students. This website should not have been created and personal data put on this without having the request and implementation reviewed through the process. Unfortunately, as a direct result of this, there was a security breach, and data was compromised. The University, located in the UK, was fined 120K British Sterling or $160K USD (http://www.ehackingnews.com/2018/05/greenwich-university-fined-120000-for.html)
Lessons Learned
When an organization collects data from third parties, the collector becomes the steward of the data and is responsible for its security. When approved processes aren't followed, generally significant issues follow. THe standard operating procedures have been put in place for a clear, rationale reason.
These should be followed and apply InfoSec as part of the SOP.
No comments:
Post a Comment