francoisellis

Thanks for the extensive answer to a well articulated question.

Bill, as a Cyber Security worker myself, are you in favor of a national personal information regulatory agency? I've gone back and forth on this several times, and keep landing on the fact that personal information needs a centralized enforcement agency, similar to the IRS, with the power to force institutions to use standards and policies that make sense, and assure the safe keeping of everyone's personal data. Additionally, what do you think of a national two step verification system for every persons Social Security number?

the Internet is working wel

Wait what? I'm truly lost and think you completely misunderstood what I'm getting at. I'm simply stating the following: There are plenty of industry approved, vetted, and communicated standards and policies that dictate how people should be handling systems of various levels of criticality specifically with regards to personal information. These standards deal with how information is stored, transmitted, accessed etc. It has absolutely nothing to do with collecting any additional information. I'm simply suggesting that these standards and policies be enforced by an external agency, as my industry (Banking) widely lack the necessary IT Controls that safeguard the data that you provide them with. Stop trying to state that I'm suggesting less freedom or regulating the internet, that's idiotic. An no, I'm CRISC certified and hold a quantitative finance degree.

And just to be clear to those reading my question, I'm not suggesting that the personal information agency would collect any data, they would be in charge of enforcement of well established cyber security practices and controls that should be implemented across all systems that house PI.

This is inaccurate. Verifying that you're systems uses token authentication, multi factor authentication, vulnerability scans before production etc do NOT need personal data. As a matter of fact, COBIT standards and policies are specifically enforceable without placing PI at risk.