Laws, Regulations and Standards are put in place to protect the consumers and their privacy rights. As the cyber security professional, it is his or her duty to adhere to federal, state, and local government laws, regulations and suggested standards. The cybersecurity professional has the fiduciary obligation to perform due diligence on behalf of the organization to adhere to the laws, regulations and suggested, to implement security policies and procedures to protect the people, to properly maintain and manage the information system, to protect the physical assets. Due diligence includes security controls (physical control, administrative control, and technical control) designed to protect Confidentiality, Integrity, and Availability of the organization’s data. Physical control is a physical device that prevents or deters access. For example, locked door, barbed wire. Administrative control relies on a human to take some action. For example, a supervisor to initiate cash refund. Technical controls are software that creates a logical control. Passwords, antivirus software, and firewalls are technical controls. Lack of due diligence to provide organizational safeguards has shown us many examples of massive customer accounts hacked and as a result, regulators have levied heavy fines upon organizations such as Yahoo and Facebook. Yahoo had billions of customer email accounts hacked. (Krebs, 2016) Marissa Mayer, the new CEO who took over Yahoo in mid-2012, emphasized aesthetic look and simple interface of Yahoo email over security protocol. Alex Stamos, Yahoo’s Chief Information Security Officer, called for end-to-end encryption to improve security. Mayer denied the request. The internal name for Yahoo’s security team were called “Paranoids.” The security team often clashed with business team over security costs.

​

With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.

The 2014 hiring of Mr. Stamos — who had a reputation for pushing for privacy and antisurveillance measures — was widely hailed by the security community as a sign that Yahoo was prioritizing its users’ privacy and security. The current and former employees say he inspired a small team of young engineers to develop more secure code, improve the company’s defenses — including encrypting traffic between Yahoo’s data centers — hunt down criminal activity and successfully collaborate with other companies in sharing threat data. He also dispatched “red teams” of employees to break into Yahoo’s systems and report back what they found. But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees.

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services. (Perlroth & Goel, 2016)

 

Reference

​

Krebs, B. (2016, December 14). Yahoo: One Billion More Accounts Hacked. Retrieved from Krebs on Security: 

https://krebsonsecurity.com/2016/12/yahoo-one-billion-more-accounts-hacked/

Perlroth, N., & Goel, V. (2016, September 28). Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say. Retrieved

from The New York Times: https://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html