Bill BrennerSenior EditorSept. 24, 2009

The Compliance HangoverThe Compliance Hangover

(and How to Fight It)

About me…About me…

Bill BrennerSenior EditorCSOonline/CSO Magazine

Six years of covering the challenges of security compliance

The problem…The problem…

• Many government regulations on the books, including Sarbanes-Oxley, HIPAA, GLB

• Then there are the industry standards, most notably PCI DSS

• Throw in separate data protection/breach disclosure laws in almost every state, and…

• CONFUSION AND EVEN A LITTLE PANIC ENSUES

Regulatory soup…Regulatory soup…

• The Sarbanes-Oxley Act of 2002

• Enacted on July 30, 2002, as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom.

• Required that companies implement a number of security controls they hadn’t previously thought about.

Regulatory soup…Regulatory soup…

• Health Insurance Portability and Accountability Act (HIPAA)

• Enacted by the U.S. Congress in 1996.

• Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.

Regulatory soup…Regulatory soup…

• Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999

• GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.

Big complication 1: PCI DSSBig complication 1: PCI DSS

• The Payment Card Industry’s response to the wave of data security breaches.

• Requires any company that takes credit cards to implement a series of security measures

• The problem…

• Those who had finally implemented controls for the previous regulations were left to figure out how this differed from what they had already done.

• PCI DSS is also updated regularly to address evolving attack vectors, keeping compliance officers on their toes.

State laws: The Giles Corey effect…State laws: The Giles Corey effect…• During the Salem Witch Trials, this unfortunate farmer was slowly

pressed to death because he refused to enter a plea. He defiantly told his torturers to “add more weight” each time he was urged to enter a plea.

• What does he have to do with state data protection/disclosure laws?

• Nothing, but I bring him up because IT security practitioners often tell me the pile-on of laws makes them feel like they’re being pressed to death.

State laws to date…State laws to date…

• Five years after California's landmark SB 1386, CSOonline released a nifty, interactive map showing which states have passed laws requiring companies to notify consumers whose personal information has been compromised. We UPDATED it 7/28/2008, when the count was 38 states. At last check, we were past the 40 mark.

Latest source of heartburn: Mass 201 CMR 17Latest source of heartburn: Mass 201 CMR 17

• CSOonline:

• Mass 201 CMR 17: A Survival Guide for the Anxious • Security experts offer tips for navigating Mass 201 CMR 17. Will your busine

ss be ready?• » Comments (1)• By Bill Brenner, Senior Editor • July 23, 2009 — CSO — • FRAMINGHAM, Mass. -- David Escalante has as much cause as any IT security practitioner to be nerv

ous about Mass 201 CMR 17, the tough Massachusetts data protection requirements organizations must comply with by Jan. 1, 2010.

• As director of computer policy and security at Boston College, he oversees the security of a computer network accessed daily by some 10,000 students who storm the campus after Labor Day with myriad personal computing devices loaded with any number of sinister programs. (See Six Essential Steps to Secure Academia.)

• Yet he was cool and calm during a CSO Executive Seminar on Mass 201 CMR 17.00 Thursday, as were the other legal and security experts on hand.

• The reason -- they're reasonably confident most companies will survive this latest compliance push unscathed. And why not? Many of the provisions are basic best practices other government regulations and industry standards have required for years.

• That's not to say this is a piece of cake. Compliance doesn't always ensure security. The Hannaford supermarket chain learned this the hard way after suffering a data breach despite all the PCI DSS compliance work it had done.

Latest source of heartburn: Mass 201 CMR 17Latest source of heartburn: Mass 201 CMR 17• The Basics:Deadline delayed more than once and is now March 1, 2010

The regulations mandate that personal information, a combination of a name

along with a Social Security number, bank account number, or credit card number, be

encrypted when stored on portable devices, or transmitted wirelessly or on

public networks. Encryption of personal information on

portable devices carrying identity data like laptops, PDAs and flash drives

The good news…The good news…• While there are some differences from law to

law, standard to standard, the core requirements are basically the same. Just a few examples:

• Encryption of data• Network segmentation• Log management• Patch management• Firewalls• Anti-malware• Strong policies to govern what employees can

and can’t do on company computers

You may not like QSAs, but they’re not the enemyYou may not like QSAs, but they’re not the enemy

• Companies hate when someone comes in to poke around the network and draw up lists of improvements that must be made. Improvements=money.

• QSAs don’t always catch everything. They too are human.

• Heartland CEO Robert Carr lashed out against his QSAs for missing flaws that led to a data breach but giving his company a passing PCI grade.

• Give them as much access as possible and be honest about shortcomings you are already aware of.

• In most cases, they will work with you. In fact, they WANT to help you, not sink you.

No one WANTS you to failNo one WANTS you to fail

• If there are upgrades you must make and you don’t think you can meet the compliance deadline, the individual authorities (states, PCI DSS Council, QSAs) aren’t going to run you out of business.

• Be open and ask for help, and you’ll be fine.

• Try to sneak by and you risk suffering a data breach, which COULD run you out of business.

Thanks!Thanks!

• Bill Brenner• Senior Editor, CSO magazine/CSOonline• bbrenner@cxo.com• Office phone: 1-508-988-7587• IM: bbrenner70• Twitter: BillBrenner70• LinkedIn: http://www.linkedin.com/profile?

viewProfile=&key=3382655&trk=tab_pro• Facebook: http://www.facebook.com/home.php?

ref=home#/bill.brenner