|
[IMAGE]
Tipping the Scales
In a post-September 11, regulated world, upper management could no longer keep its head in the sand regarding security.
"Security had to be addressed. So in that regard, compliance was a positive force for security practitioners," says Jerry Freese, director of IT security engineering for American Electric Power, a power generator and distributor based in Columbus, Ohio. In fact, in heavily regulated industries such as telecommunications, retail and financial services, more than 60 percent of respondents to last year's annual CSI/FBI survey say SOX has raised the level of interest in information security.
Regulatory focus has been a significant shift for security managers. A few years ago, IT security centered on technical defenses: network access control and segmentation, anti-x software, and updating intrusion detection sensors. Many chief information security officers were as comfortable working a Unix command prompt as an Internet browser, and would spend hours each day overseeing arcane firewall rule sets within cumbersome command-line interfaces. IT security was about closing network and application security gaps that could let criminals slith...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
er through.
"In many respects, we will look back on those days as simpler times," says Hession. "Reg- ulatory compliance has changed everything."
High-profile corporate account- ing scandals, followed by months of unprecedented data leaks, changed the landscape. The bad news kept rolling in, and so did the regulatory burdens that followed.
SOX changed the way the financial information of public companies is managed. The Patriot Act, passed in October 2001, brought unparalleled reporting and customer monitoring requirements, while the Federal Informa-tion Security Management Act of 2002 mandates cybersecurity enhancements among federal agencies. In addition, more than 30 states followed California's lead and passed data breach disclosure laws that closely modeled SB 1386. Pile on industry-specific mandates, such as the HIPAA security rules for health care, and the Payment Card Industry's Data Security Standard, and security managers are forced to balance security and compliance, and make some difficult decisions that don't always result in a more secure environment.
"Regulatory compliance has become a new threat," says Pete Lindstrom, a security analyst at the research firm Burton Group.
|
 |
|
