Information Technology Reference
In-Depth Information
only when it is truly appropriate or necessary to avoid adding undesirable
complexity to the host organization's operational environment.
Protect the Data
Being suddenly naked in public is a common nightmare, but one that is
not nearly as disturbing as having the sensitive or protected data of mil-
lions of clients revealed inadvertently. A number of laws pertaining to
the liability of information exposure came under consideration following
the spectacular data exposure of information about more than 26 mil-
lion veterans and active-duty military personnel when a laptop containing
this information was stolen from the home of a Veteran's Administration
employee. This is not an isolated event, by any means—sensitive data
from millions of clients has been exposed through loss of backup media,
security compromise, and inadvertent disclosure. Credit card agencies,
universities, medical facilities, and information clearing houses are com-
mon targets for identity thieves seeking useful information on large num-
bers of people at once.
It is not enough to plan how to handle the public reaction following
data loss, because many articles of legislation include very strong penalties
that follow automatically. The Health Insurance Portability and Account-
ability Act (HIPAA) is an excellent example of the type of legislation that
may affect an organization as a result of data exposure. This act includes
specific penalties, including very stiff per-item fines, whenever Protected
Health Information (PHI) has been disclosed. Beyond direct legal and
cost factors that may affect an organization, loss of customer trust can
be even more devastating to an organization. Few acts will draw public
outcry as rapidly as an accidental disclosure of data that could be used for
identity theft, credit fraud, or other person-affecting actions. Because of a
simple household burglary, now 26 million veterans and service personnel
must forever monitor their credit and watch carefully lest someone misuse
the stolen information.
Include Security at All Levels
An enterprise architect must include security when planning every level
of the enterprise architecture. Because most computers can be booted
