About time
Why does it always take a monumental embarassing failure to get governments to do things like this?
The information commissioner says that government has improved both its data protection and its disclosure of such work. Christopher Graham was commenting on a Cabinet Office report which sets out work since the Data Handling Review of June 2008, which set out measures for departments to improve data security. He was positive …
... that are reactive rather than proactive. Business from the very small to the very large are equally guilty - think TJX, think HSBC, and they're just the high-profile ones. Often it's not until you have a breach that you know something has a vulnerability. You can point at penetration testing, vulnerability assessments, data security and the likes, and they are all very good things to point at, but infosec isn't something you 'do', it's something you 'are'. It's a constant cat-and-mouse game between those who seek to protect information and those who seek to obtain information. Absolutely some of the more blunderous problems should never have happened, but the fact that things have improved considerably should be applauded.
Mine's the one with the CISSP 10 Domains of InfoSec Guidebook in the (extremely large) pocket