Password Policies Still Important in 2011

The Privacy Rights Clearinghouse recently released their review of what they call the most significant data breaches of 2011. Even if you have read about each of these incidents before, they are worth reading again in summary form.  What is perhaps most striking is how the most basic security policies and procedures are often the ones that were ignored or not implemented in these major breaches.   So here is the quick summary of incident and matching security policies:

Sony PlayStation (April 27) –  External intrusion by hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.

Control Failure:  Weak Passwords

Epsilon (April 2) – Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies.  (Maybe the largest breach EVER when counting records)

Control Failure: Third Party Service Provider Security / Sensitive Information in the Cloud

Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) – A company-issued desktop computer was stolen from SMF’s administrative offices

Control Failure:  Physical Security of Devices Holding Sensitive Data / Encryption of Sensitive Data during Storage

Texas Comptroller’s Office (April 11) – Information from three Texas agencies was discovered to be accessible on a public server.

Control Failures:  Change Control on Product Systems / Sensitive Information on Low Security Systems

Health Net (March 15) – Nine data servers containing the personal information of 1.9 million current and former policyholders went missing from Health Net’s data center.  The breach was reported to customers nearly 3 months late.

Control Failures:  Physical Access Control of Processing Facilities / Incident Response and Data Breach Notification Policies

Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) – The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics.

Control Failures:  Secure Transport of Sensitive Information / Encrypted Backups of Sensitive Information

The good news is that these controls are all part of the basic information security policies found in nearly all data protection frameworks, including ISO 27002 and NIST SP-800-53.  For sample information security policy templates that address all of these requirements, see Information Security Policies Made Easy.