One more thing re: the State Dept. passport breach. Notice who's in the news taking the heat for the breach – the CEO of the State department. That's exactly what we were told would happen at the Gartner GRC Summit a few weeks ago. It's the C-level executives that take the fall when a high profile breach occurs, which is one of the reasons why governance is vital to the business. And why a correctly done risk analysis should beget executive sponsorship for risk mitigation solutions.
It's really interesting to me that such a seemingly ordinary act has become such a high profile breach. By ordinary act, I mean seemingly non-malicious and only acting with approved rights and privileges. These employees were GIVEN the power to act. They didn't have to TAKE the power through theft or hacking. And that's the risk with privileged users. With them, it's not about security controls. They can simply decide to subvert policy. That's why Dave's post was so timely. You can audit every transaction.