The ongoing tales of security woe continue, as Sony, still working to recover from a breach of its PlayStation Network (involving loss of information on over 70 million users), announced another loss, this time from its Sony Online Entertainment operations.

The announcement stated that in this latest loss, the intruders obtained personal information for over 24 million people. Interestingly, Sony stated that that was another data loss stemming from the original breach, and not the result of a separate attack.

We don’t currently have any detailed visibility into the attack vector or sequence of events at Sony, although in yesterday’s testimony and letter to the US Congress, Sony stated that last month’s Distributed Denial-of-Service attack provided cover (or a mechanism) for the breach.

As a direct result of this attack, Sony has taken the admirable step of creating a new post of Chief Information Security Officer, as well as instituting a number of operational security improvements (automated monitoring & intrusion detection, improved data protection and encryption, network activity pattern matching, and network perimeter strengthening).

While these operational elements are important (and tactically necessary), I’d recommend to the new CISO that he or she carefully look at their enterprise, and make sure that they can reliably answer the question “who has access to what?” Strategically, access governance has been shown to be a key part of an enterprise’s overall security strategy – helping organizations improve their security posture and meet compliance requirements.