This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."
Download it now to read this article plus other related content.
Sarbanes-Oxley, SB 1386, HIPAA: These regulations are now part of the security vernacular. But has compliance truly helped our security posture?
It's a double-edged sword. The CEO now knows what you do for a living, or at least has an inkling. You've been invited to meetings from which you were previously excluded, chatted with executives you had never met, maybe even been thrust from the confines of middle management to a permanent seat at the executive table. What's more, the regulations have justified increased budgets and technology build-outs that may have never been approved four years ago.
But the distraction of SOX and the like has actually made your company less secure. You've spent millions of dollars to comply, put in place appropriate access controls and clearly segregated duties. You've made the auditors happy or at the very least, gotten them off your back. But you haven't protected your "secret sauce." The engineering schematics, manufacturing processes and other trade secrets that keep you ahead of the competition are vulnerable. Why? Their protection has been pushed down your to-do list as you scramble to fulfill new compliance mandates.
The result is more than an inconvenient time crunch; it's risky business. Take the recent DuPont case made public last month. A former chemist is accused of stealing approximately $400 million worth of confidential information. Protecting your intellectual property is no less important than meeting regulations.
To add insult to injury, some of the regulations lack teeth. Take HIPAA. Many in health care grouse that their users won't accept the changes; they've got patients to tend. Besides, enforcement is nil. PCI, for its part, has been lauded for its clarity, but what is being done about the recent TJX case?
Let's throw some of the federal government mandates into the mix. One civil servant recently told me that he will meet the initial HSPD-12 deadlines and do nothing. And while banks have begun to put in place measures to meet FFIEC, the biggest question mark is enforcement. Doing a risk assessment becomes difficult when you don't know what the punishment will be.
AT&T CSO Ed Amoroso summed it up well in our cover story ("Balancing Act"): "Could you imagine if you went and bought a lamp and there were 50 stickers all over it: SAS-70 approved, ISO-this approved, GLBA-approved, Sarbanes-approved? You'd imagine some frenzied lamp safety guy, bleary-eyed and drinking coffee, having completed 50 certifications to make sure the lamp is right. Well, that's us. Instead of one sticker, we have 50 stickers, and they're all asking for exactly the same thing, but you end up spending time, time, and more time satisfying different auditors and different groups. It could be more effective to have generally accepted security principles, much like the accounting professionals have GAAP."
What do you think? Should there be generally accepted principles or should you stock up on coffee and stickers?
This was first published in March 2007