[ISN] New laws to drive '04 security agenda

From: InfoSec News (isn@private)
Date: Tue Nov 11 2003 - 04:46:58 PST

  • Next message: InfoSec News: "[ISN] Microsoft's hacker bounty is wasted money"

    http://www.computerworld.com/securitytopics/security/story/0,10801,87002,00.html
    
    Story by Jaikumar Vijayan 
    NOVEMBER 10, 2003 
    COMPUTERWORLD 
    
    WASHINGTON -- The need to comply with an array of complex data laws
    will dominate the security agenda in 2004, according to attendees at
    the Computer Security Institute conference here last week.
    
    As in previous years, IT security managers expect to spend
    considerable time and resources fending off destructive intrusions and
    insider threats.
    
    But the most daunting challenge will be dealing with laws such as the 
    Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, California's SB 1386 
    privacy law and international data integrity and privacy laws, they 
    said. As a result, the emphasis will be on issues such as policy 
    management and enforcement, benchmarking against standards, incident 
    response, forensics and monitoring for insider threats. 
    
    "As far as my business and industry in general goes, the single 
    biggest driver is compliance with all the new data and privacy laws," 
    said Michael Kamens, global network security manager at Thermo 
    Electron Corp., a $2 billion manufacturer of scientific equipment in 
    Waltham, Mass. 
    
    As a publicly traded U.S. manufacturer with multinational operations, 
    Thermo has to deal with compliance issues ranging from Sarbanes-Oxley 
    to a Chinese encryption requirement that involves filling out forms in 
    Mandarin. "It is requiring me to quadruple the effort that I have to 
    put in on a daily basis to ensure that my company is in compliance and 
    that I'm safeguarding its good name," Kamens said. 
    
    United Government Services LLC, a Milwaukee-based provider of 
    administrative and consulting services for publicly funded health care 
    systems, is governed by 400 security requirements issued by the 
    Centers for Medicare and Medicaid Services. Meeting all of them will 
    be a "very large driver" of security efforts next year, said systems 
    security officer Todd Fitzgerald. 
    
    For the most part, the efforts will focus not on technology 
    improvements but on implementing security policies and management 
    processes to ensure regulatory compliance. "It's a process that will 
    involve spending a lot more time working with management and end 
    users, educating them on what the security risks are," Fitzgerald 
    said. 
    
    Third-party connectivity issues are a priority at St. Jude Medical 
    Inc. in St. Paul, Minn. 
    
    As a $1.6 billion manufacturer of cardiovascular equipment, with 15 
    facilities worldwide and customers in 120 countries, St. Jude has to 
    make sure it avoids liability for security breaches involving its 
    supply chain or business partners, said David Stacey, global IT 
    security director. 
    
    "Regulation is a massive issue, and most organizations are clearly not 
    ready to deal with the myriad issues and details involved," said Ben 
    Rothke, a senior security consultant at Thrupoint Inc., a management 
    services company in New York. 
    
    Complying with data regulations will mean turning traditional notions 
    of the IT security function and its role within organizations upside 
    down, said Terri Curran, director of research at the Center for 
    Digital Forensic Studies Ltd. in Auburn Hills, Mich. 
    
    "CSOs in the near future are going to have to get more creative about 
    things like privacy, risk acceptance, forensics, industry-related 
    regulations, and state and federal laws that are really going to 
    affect them," Curran said. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 11 2003 - 07:29:38 PST