Page 32 - Publication6
P. 32
ConnectEdu to ensure that any student data transferred stolen. Computerweekly.com reports Sony employees have
during the sale of ConnectEdu would be transferred to decided to pursue legal action against Sony Pictures for the
guidelines set forth by the FTC Act and the Bankruptcy lost data sparking the question: what is the Government
Code. doing to protect employee data when new-hires present their
information during the onboarding process�
Still however, there is still no PCI DSS or HIPAA equivalent
for employee data when a new employee shows up at Recently, the White House held a Cybersecurity Summit
orientation and has to produce a driver�s license/passport, (February 13, 2015) at Stanford University, where
Social Security Number, then submits I-9 and W-4 forms President Obama urged private tech firms to share more
validating identity for tax purposes. It is up to the respective information with government and with one another to
organization to police themselves for the management of jumpstart a joint effort to tackle cybercrime. This is the
the employee data. optimal approach and a great step in the right direction to
getting our figurative arms around the problem. The event
Some standards will overlap, such as when health-related however was snubbed by heads of Google, Facebook and
information is submitted for insurance purposes and when Yahoo, who were reportedly upset about the lack of reforms
the employer submits any pertinent data to credit bureaus, to federal digital information-gathering practices (i.e. NSA
they must still comply to standards set forth by the Fair spying allegations). Google, Facebook, Yahoo and
Credit Reporting Act. But there is nothing signed into Microsoft Corp. did send their top information security
legislation that says an employer has to do X, Y and Z to executives, according to a news report from Bloomberg
secure employee data when it requisitions it from them News.
during the new-hire onboarding process. It is up to the
employer as part of their best-foot-forward business and Mr. Obama is correct to ask for a kind of IT vendor-
IT practice. If the litmus test for success in this type of commercial business-government IT kumbaya, but it is
initiative is how well the CIO�s and COO�s charges unlikely to ever occur for a multitude of reasons. First off,
communicate across IT environments traditionally mired the vendor community is preoccupied with its own war
in siloed and with disparate workflows, we are clearly in comprised of a series of battles between other vendors and
trouble. The mainframe sysprog and distributed network a user community battling big data to get a better handle
admin clearly are speaking two separate languages – if they on log management, the latter being the fuel that feeds
communicate at all – and who knows if they are even better Security Information & Event Management (SIEM).
speaking to anyone on the business side of the organization. Secondly, the commercial sector is generally mum at the
time a breach is discovered, partly from embarrassment to
The IT vendor community should be saying �Nice try U.S.
the brand and partly because they just don�t have a lot of
Gov, but we�ll take it from here�
information to divulge. If they had a lot of the right
In the wake of the Sony Pictures Breach of November 2014,
information (better log management and proactive SIEM),
several media outlets are reporting employee salary,
perhaps they would not be in the predicament in the first
medical histories and even human resources records were
place. As we have seen with Target, Anthem, Sony Pictures
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 3