© 2008 Verizon. All Rights Reserved. PTE13156 09/08

GLOBAL CAPABILITY.PERSONAL ACCOUNTABILITY.

Regulation and Deregulation : How Compliance Regulations Get Made(Birth of a New Industry)

Michael Dahn

Director, Compliance Services

My Mexico City Trip!

2

Coyoacan

Teotihuacan

Xochimilco

Frida & Diego

But I also saw this...

3

Rules Keep Getting BIGGER

4

5

“Hello Dave” - 2001 : Space Odyssey

Know the Rules Before You Can Break Them

•Dance improvisation

– Learn the basic steps before you can improvise

•Music composition

– Learn to plan an instrument before you compose a symphony

•Know which rules are:

1.Followed2.Flexible3.Broken

6

7

Why Regulation?

Trying to get a handle on large problems that affect many individuals

– Monopoly– Poor conditions– Unbound risk– Consumer protection

Image from Hugh MacLeoud of Gaping Void

8

Background on Regulation & Deregulation

•Regulation Guidance

– 1999: Organization for Economic Co-Operation and Development (OECD)»Review on Regulatory Policy in Mexico

– 2000: Comisión Federal de Mejora Regulatoria (Federal Regulatory Improvement Commission)

»Mexican Federal Ministry of Economy to improve competitive nature of businesses

•World Bank : Doing Business in Mexico 2009 (Study)

– The report found that 28 out of 31 cities implemented a total of 40 reforms

– Reforms produced tangible results, such as reducing the average time to open a business from 36 to 24 days and to register a property from 47 to 38 days, respectively

•Regulation enables proactive efficiency, instead of always responding

9

Electronic Regulation & Privacy

•Privacy Regulations

– US Privacy Act of 1974– US Computer Matching and Privacy Protection Act of 1988– EU Data Protection Directive 95/46/EC (Accountability)– Instituto Federal de Acceso a la Información y Protección

de Datos»Public access to information»Protection of personal information

•Electronic Data Protection & Accountability

– California: SB 1386 (Data Breach Notification Laws)– France: Commission Nationale de l' Informatique et des

Libertes (CNIL)– Mexico: Factura Electrónica (Electronic Receipts 2011)

•What are we trying to prevent?

Data Breaches and Black Swans

10

11

Pattern of Data Loss

• Large Data Breaches (million records)– 3.9 :: Financial institution in 2005– 4.2 :: Supermarket chain in 2008– 5 :: Online bill pay in 2007– 6.3 :: Online trading company in 2007– 8.5 :: Banking service provider in 2007– 12.5 :: Bank in 2008– 17.7 :: Online adult entertainment in 2006– 28.6 :: Government agency in 2006– 40 :: Payment service provider in 2005– 45.7 :: Retail store in 2007– 76 :: Government agency in 2009– 130 :: Payment processor in 2009

•Evolution of Methods– Flat files, network sniffing, serial port

sniffing, custom malware– EU: retail moved to e-commerce

•What risk are we trying to prevent?

Measuring Risk : Technical vs Financial

12

The Placebo of Fear&

Remediation Costs

PCI Workshop: PCI Compliance Training

13Source: Flickr, user:4yas

14

Vaccinations & Regulatory Compliance

• The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual

• Individuals say:– My environment is already secure – I know how to manage risk better than the regulatory bodies – My environment is special and unique and does not fit into your

Procrustean boxes

•Are we as secure as we think we are?– Do we rely on third parties?– Who do we share data with?– Who do we give access to our data and systems?

15

Vaccinations & Regulatory Compliance

•Economics of Immunization and Compliance– A poorer population will benefit more strongly from an immunization program than one

that maintains a high level of sanitation, health care, and treatment programs– A more vulnerable population (e.g. retail, restaurants, higher education, e-commerce,

etc.) will benefit more from regulatory compliance than one that is more highly secure

• The cause of action to vaccinate a population is to immunize them from each other

– “Seatbelt Fallacy” of Security Solutions– Data stolen from one location can affect fraud at another location resulting in mutually

assured negative impact

• Tipping point of vaccination– “An aggressive vaccination program that first targets children and ultimately reaches

70% of the US population would mitigate pandemic influenza [flu]”»Vaccine and Infectious Disease Institute (VIDI) at Fred Hutchinson Cancer Research Center

•So what makes us happy?

PCI Workshop: PCI Compliance Training

16

PCI Workshop: PCI Compliance Training

17

Understand the Intent

“Do not focus on the finger or you will miss all that heavenly glory [of Regulatory Compliance]” - Bruce Lee, Enter the Dragon

18

Example: Audit Logging

•Payment Card Industry Data Security Standard (PCI DSS)

– Requirement 10.2»All individual accesses to cardholder data»All actions taken by any individual with root or administrative privileges»Access to all audit trails»Invalid logical access attempts»Use of identification and authentication mechanisms»Initialization of the audit logs»Creation and deletion of system-level objects

– Intent»Alert on suspicious activity»Facilitate a forensic investigation

– Understanding intent is only the beginning...

19

Verizon PCI Compliance Report 2010

•Are all regulatory requirements equally important?

•What are organizations good/bad at doing?

•How does regulatory adherence impact data breaches?

•How effective is regulatory compliance?

20

http://www.verizonbusiness.com/go/pcireport

Compliance vs Validation

21

A point-in-time event

Validation

In order to understand the report and the conclusions drawn from the data, it is necessary to differentiate between “compliance” and “validation”.

6

A continuous process of adhering to the regulatory standard as set forth in the PCI DSS

Compliance

Compliance Statistics

22

What are organizations bad at doing?

23

Data Encryption

Manual & Reoccurring Activities

% of Organizations Meeting PCI DSS Requirements

24

PCI Workshop: PCI Compliance Training

25Source: Flickr, user:h-k-d

26

3 Habits of Highly Effective Regulation

•Education, Education, Education!

– Drives adoption and adherence

• Flexibility of controls

– 100 % compliance is not the goal when system failures occur in groups– PCI DSS “Compensating controls”– EU Data Protection Directive “Comply or explain”

•More data for Risk Modeling

– Can we ever manage risk on a moving target?– Frequentist vs. Bayesian statistics

27

What’s the Solution?

• “Building more roads to ease traffic is like trying to cure obesity by loosening the belt”

– Richard Moe, Head of the US National Trust for Historic Preservation

•Simply applying “more” security does not necessarily mean you achieve “better” security

– Rotate days that cars are permitted on the road?

•Help prevent data sprawl

– Security is required where data is maintained»Data, data, anywhere?»Data, data, everywhere?

– Reduce scope through grouping of systems– Business Process Re-engineering– The more complex a system the harder (and more costly) it is to maintain

28

What’s the Solution?

•Examine Use Cases– Medical record data vs. payment card data– Data retention sometimes required, but what do you retain?

»Dept collection agencies»Reoccurring payments»Data mining and analysis

•Cost to secure data vs. Business need for data– Cost to securing data can be proportional to the volume of it

•Brute force is effective but costly, while the elegant solution is simple and secure

– “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” – Tokenization or Data Surrogacy– Point-to-Point (End-to-End) Encryption– Network Segmentation

29

Questions?