Beyond Simple Compliance: Using Data-driven Prioritization of Controls

(January 13, 2011) Are all information security controls created equal? Interhack Founder Matthew Curtin presents an update to Interhack original research Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry. Curtin addresses Central Ohio ISACA members on Thursday January 13, 2011.

Columbus, OH—Are all information security controls created equal? Interhack Founder Matthew Curtin presents an update to Interhack original research Using Science to Combat Data Loss: Analysis of Breaches by Type and Industry. Curtin addresses Central Ohio ISACA members on Thursday January 13, 2011. 

Curtin shows how context can demonstrate the need for prioritization among controls enumerated in frameworks such as the ISO 27002, NIST SP800-53, and CobiT. The context is Interhack research classifying data breaches and analyzed to show the relationships between reported breach types and the industries in which they're found. 

Working through the Identity Theft Resource Center's list of reported data breaches, Curtin and coauthor Lee Ayres applied the previously-published Interhack Breach Taxonomy and the breach taxonomy key to identify type. Using the 2002 North American Industry Classification System, they classified each report by industry.

This research shows that the Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionately large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration’s proportion of compromised host reports was below average, but their share of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct.

“As we look beyond simple compliance with control requirements to good risk management, we can speak meaningfully about likelihood of various types of events occurring, and how that affects how organizations prioritize their defensive resources.” 
—C. Matthew Curtin, Founder Interhack Corp.

Information about registration and attendance can be found online at http://www.isaca-centralohio.org

Schedule An Interhack Program in Your Organization

Interhack delivers presentations for CLE and CJE credit. If you would like to schedule an Interhack presentation in your association or law firm, please contact us for rates and availability.

About Interhack

Interhack aids executives and attorneys facing challenges and opportunities involving the use of information.  We perform security and privacy assessments, as well as services to work with data in legal proceedings.  Our work is used to find the right questions to ask and the best answers science can provide.  Based in Columbus, Ohio, Interhack supports clients all over North America.  Additional information about Interhack is available at web.interhack.com.