WingNews logo WingNews
top | item 42563608

(no title)

ta_1138 | 1 year ago

The typical IT department in a large corporation is way too big to have reasonable visibility into what it manages. There's no way to build reasonable controls that work out when you have 50K programmers on staff. It's purely a matter of size.

Often the end result is having just enough red tape to turn a 2 week project into an 8 month project, and yet not enough as to make sure it's impossible for someone to, say, build a data lake into a new cloud for some reports that just happen to have names, addresses and emails. Too big to manage.

discuss

order

anyonecancode|1 year ago

Which gets back to the original point, that the real answer is to minimize how much data is held in the first place. Controls will always be insufficient to prevent breaches. Companies and organizations should keep less data, keep it for less time, and try harder to avoid collecting PII in the first place.

gregw2|1 year ago

I don't disagree with you but as someone who has thought a moderate amount about data security at a "bigco", I will point out something I haven't seen people really talk about...

Audit trails (of who did/saw what in a system) and PII-reduction (so you don't know who did what) are fundamentally at odds.

Assuming you are already handling "sensitive PII" SSNs/payroll/HIPPA/creditcard# data appropriately, which constitutes security best practice: PII-reduction or audit-reduction?

tsimionescu|1 year ago

Let's say the CEO agrees with you and is horrified of any amount of unnecessary data being stored.

How would they then enforce this in a large company with 50k programmers? This was what the previous post was discussing.

Not to mention, a lot of this data is necessary. If you're invoicing, you need to store the names and many other kinds of sensitive data of your customers, you are legally required to do so.

thayne|1 year ago

That is easier said than done. In order to achieve that effectively every employee that has any relation to data needs to be constantly vigilant in keeping PII to a minimum, and properly secured.

It is often much easier to use an email address or a SSN when a randomly generated id, or even a hash of the original data would work fine.

I'm not saying that we shouldn't put more effort into reducing the amount of data kept, but it isn't as simple as just saying "collect less data".

And sometimes you can't avoid keeping PII.