A letter was sent to Congressional leaders from 40 organizations representing many types of businesses, asking for legislation for a single federal law to apply to all breached organizations. This would standardize processing required in the event of breaches of sensitive data and reduce confusion. Consistency is a great idea. I'd like to see this go one step further and standardize the information that is obtained from the breached organization.
Here are 5 things that we might want to know as a start:
- The type of network security that is being used.
- The Third Parties connected to their networks.
- The number of copies of sensitive data that exist throughout their network.
- The location of the breached data within their network (i.e.: DMZ, test, QA, etc.)
- Who has access to what?
The bad guys are out there and we need to step up our knowledge base if we are going to outdo them.