Case Study Chapter 5 page 95

Lost Hard Disk at ISM

Case Summary:

Questions:

1. What were the procedural shortcomings that led to this event?

Normal security procedures would involve strict handling of the discontinued disk, with
requirements that it be immediately destroyed or reformatted in a controlled manner such that the
data could not possibly be recovered by a new user. This would require strictly enforced policies
as to the physical handling of disks in these circumstances. One of the key methods of protecting
the data is to ensure that it is encrypted; if someone steals the physical disk or computer, they
cannot read the data without having access to the encryption key. It appears that these procedures
were not observed.

2. Why is security so important to the maintenance of privacy of personal data?

Security protects private personal information against disclosure and abuse. In the context of this
case, it is a key countermeasure against identity theft. Identity theft involves assembling enough
data about an individual from the internet and corporate databases to enable the perpetrator to
apply for credit in that person’s name, or otherwise use that identity for illegal purposes. Stolen
identities have been used to obtain credit cards, mortgages, passports, and birth certificates, and
arrange false marriages to obtain landed immigrant status.
3. Which was the greater concern in this case—lack of security or outsourcing?
Lack of security is the greater concern. Outsourcing does not necessarily involve a reduction of
security. In many cases it can lead to greater security if the entity chooses a well-run outsourced
service provider with effective security controls in place.