Quote:
Originally Posted by Zimmer4141
How many people have access to this information and who are they?
Are there any restrictions on what these people can do with that information?
It's likely they don't even know. Most "start-up" companies turn a blind eye to access controls and security because it tends to slow things down when the company is going 100mph. Even if they produce a list of who can access the data, it's likely incomplete or just ignores other other methods someone can use to access the data.
Example: Two DBAs have access to the main database. Company says two employees have access to the data. However, a number of sysadmins have root on the machine and thus could read the data. Also, a number of employees can request ad-hoc reports from the DBAs.
Even companies that are slightly more mature, tend to put emphasis on the following types of data.
PII (Personally Identifiable Information) - Names, addresses, SSN, and email addreses to some degree.
Payment information - Credit cards, bank records.
Credential storage - customer passwords and internal system credentials
Other records tend to be fair game unless there's an internal push to protect it.
I only mention this to set an expectation of how new companies typically handle data and access controls. (Very weak) That's not to say DraftKings falls into this area, but it'd be silly to assume they are doing anything more than industry average for a company their size until some external auditors come in and prove it. (And even that's not fool proof!)
btw, i work in the security/audit industry. I don't actively read this thread, but pm me if you have audit/data security questions. felt like posting this to blow off some steam.