[ISN] Regulation Compliance Tops Companies' Security Concerns

From: InfoSec News (isn@private)
Date: Tue May 18 2004 - 03:14:24 PDT

  • Next message: InfoSec News: "[ISN] Ex-cybersecurity czar blasts Bush's efforts"

    http://channelzone.ziffdavis.com/article2/0,1759,1594080,00.asp
    
    May 17, 2004
    By Karen D. Schwartz  
    
    Just a few short years ago, the primary security-related concern for
    most IT executives was how to prevent hackers from infiltrating their
    companies' systems. Although that issue still is quite relevant, it's
    no longer the top concern of many organizations. Today, that honor
    goes to how to comply with the increasing number of regulatory and
    compliance mandates required by the U.S. government. Some of these
    requirements, such as Graham-Leach-Bliley and Sarbanes-Oxley, apply to
    virtually all corporations, while others, such as the Health Insurance
    Portability and Accountability Act (HIPAA) and the Basel II Accord,
    affect specific industries.
    
    The unifying thread among all of these mandates is the need to
    adequately protect personal information - an issue that can cause
    significant challenge and confusion for IT managers who are unfamiliar
    with the available tools and methods for satisfying these
    requirements.
    
    Helping organizations comply with this panoply of regulations,
    however, has created significant opportunity for resellers, says Ed
    Smith, director of security solutions at Forsythe Technology Inc., a
    technology infrastructure solution provider based in Skokie, Ill.
    
    "These regulations don't require specific technology, which makes them
    confusing and vague. Some say you have to provide access control, for
    example, but they don't specify how to do it," Smith says. To solve
    the problem, many organizations are turning to resellers who
    specialize in building compliance-ready environments and stand ready
    to map those environments to the organization's framework, best
    practices and standards.
    
    Resellers and systems integrators fulfill a real need in the
    compliance arena, agrees Michael Rasmussen, director of information
    security at Forrester Research Inc., a Cambridge, Mass., IT
    consultancy.
    
    Not only is there no off-the-shelf product to deal with compliance and
    security issues, but creativity and ingenuity tend to be key to
    success, Rasmussen says. "It's about building a culture of security
    and governance within the organization, as well as selecting the right
    products and assigning the appropriate management and staffing to
    them."
    
    Although not yet a requirement, the government's recent push to
    address cyber-security is beginning to rank nearly as high a
    regulatory compliance for companies trying to stay on the cutting edge
    of security requirements. Spearheaded by the National Cyber Security
    Partnership Task Force, a public-private partnership led by a variety
    of trade groups and the U.S. Chamber of Commerce, the goal is to
    develop strategies to better secure critical information
    infrastructure.
    
    Slowly but surely, the push to implement better cyber-security is
    trickling down from government to private industry, encouraging
    resellers to develop solutions and methodologies for implementing
    these practices within their client base.
    
    "We're encouraging the private sector to adopt what's happening in the
    public sector because cyber-security cuts across everything and should
    be part of the overall business model," says Jeff Tye, founder of GMP
    Networks, a Tucson, Ariz. ,security integrator.
    
    But at least for now, compliance and cyber-security issues remain more
    relevant to larger companies than smaller ones. These issues,
    generally grouped under the term "information security," include
    financial integrity, regulatory compliance, privacy, intellectual
    property and industrial espionage. Smaller companies, on the other
    hand, tend to remain focused on IT security - technology that includes
    firewalls, disaster recovery, patch management, intrusion-detection
    systems, and encryption and anti-virus software.
    
    That's changing, but slowly, Smith notes. "You have to become a
    trusted adviser beyond just offering the latest technology. It's about
    understanding their problems and then developing an appropriate
    solution - whatever the need."
    
    
    
    GLOSSARY OF TERMS
    
    
    Sarbanes-Oxley Act of 2002: Mandates a comprehensive accounting
    framework for all public companies doing business in the United
    States. Companies must disclose all relevant financial performance
    information publicly, creating the need for more stringent digital
    data integrity and accountability controls.
    
    
    Health Insurance Portability and Accountability Act of 1996 (HIPAA):  
    One part of this act deals with the standardization of health
    care-related information systems, establishing standardized mechanisms
    for electronic data interchange, security and confidentiality of all
    health care-related data.
    
    
    Graham-Leach-Bliley Act of 1999: To protect consumers' financial
    private information. It put processes in place to control the use of
    consumers' private information and included requirements to secure and
    protect the data from unauthorized use or access.
    
    
    Basel II: The Basel II Accord is a regulatory framework governing risk
    management practices, developed by the Bank of International
    Settlements. Companies have until the end of 2006 to comply with it.  
    The accord consists of minimum capital requirement, supervisory review
    of capital adequacy and public disclosure. And new guidelines on
    operational risk may cause banks to need to implement more
    comprehensive business continuity solutions. Once finalized, it will
    give banks a more standard way of evaluating risk.
    
    
    Cyber-security: Simply put, cyber-security is the act of protecting
    all corporate information from potential harm through identification,
    protection and defense. The U.S. government is doing its best to
    encourage organizations to deal with cyber-security. The National
    Cyber Security Partnership Task Force, for example, recently issued a
    report recommending ways of reducing security vulnerabilities by
    adopting existing standards and best practices, using common software
    security configurations, developing guidelines for secure equipment
    deployment and network architectures, and improving the processes
    commonly used to develop security specifications and conduct security
    evaluations.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue May 18 2004 - 05:24:35 PDT