There is only one primary driver for investing in security and that is the threats to your data and computing infrastructure. However, a secondary driver that often overshadows even the threats is compliance.
More Articles from Richard Stiennon on CIO Update | |
Network Admission Control is a Blind Alley Lessons Learned from Biggest Bank Heist in History The Security Connection Between WAN , Virtualization and UTM The Economics of Cybercrime If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading. – Allen Bernard, Managing Editor.
|
It is secondary because compliance is driven by legislation and regulations that seek to enforce a particular standard the purpose of which is to address a threat. Often compliance has more to do with paperwork than anything else but, even so, in our day-to-day tasks security compliance has become one of the most important aspects of an IT administrator’s job.
While HIPPA, GLB, and even Sarbanes-Oxley have security aspects about them the two most important compliance measures are the Payment Card Industry standard which dictates specific security measures for those who accept credit cards and
Just look at the number of data loss disclosures there have been since 1386 was passed. According to PrivacyRights.org which keeps a running tally there have been 218,621,856 records reported lost or stolen since January, 2005.
U.S. Congress and the Data Security Bill
Congress has been working on a data security bill for over three years now. Every session has seen several bills put forward. Criticism of the proposed legislation runs the gamut from “too expensive for business” to “not enough teeth.” The primary benefit of a national law will be that it will supersede all of the individual state laws. This will make compliance vastly simpler.
One of the hold ups is that too much is being packed into one bill. Many congresspeople would like to see greater government accountability for data protection. But there are already laws for that including the most recent FISMA (Federal Information Security Management Act of 2002).
Business and individuals would be best served if Congress would avoid bundling multiple purposes into one bill. But, while we wait for Congress to finally come to grips with data security here are some guidelines that will help you prepare for what is eventually passed:
First, make sure that you are following established best practices for data protection. Identify every instance of personally identifiable (PII) data in your network:
- Does your website contain a sign-up form? A survey?
- Is that data encrypted immediately?
- Are the keys well protected?
- Do your employees, contractors, auditors have access to your PII records?
- Do they encrypt that data on their laptops?
- What do your backup and recovery procedures look like?
- Is PII encrypted when it is stored?
- How about your database security?
- Do your DBAs have unauthenticated access to PII?