To regulate IT Security controls/practices or not?!
With little to no regulation around IT security practices and controls in Australia, have we fallen behind other major trading partners like the US and countries in Europe? I think the answer is most definitely yes but I welcome your thoughts on this.
This is not new…it’s something I have ranted about for a while here but as we see the landscape change elsewhere for tighter regulation(s), data breach disclosure laws for eg; coming into existence in other parts of the world, we seem to talk more than act. The PCI DSS has been the biggest thing to hit Australian business in terms of some form of enforcement of good practice and even that is operated outside of the bounds of government and local controls.
No one’s perfect, but have we really progressed much in the last few years? Sure, security awareness is higher than it has ever been, but are security issues being addressed at their core/root or does awareness just mean actioning the latest hot area/topic? I put it out there that that is the case.
Who’s addressing risk management properly? Who’s approaching security from a strategic perspective?
It’s more than just an IT security issue. It’s a business issue, it’s a shareholder value issue, it’s a national security issue..etc etc… Is regulation the key to change here? If not, what is?
May 5th, 2008 at 10:56 pm
Is IT Security/Technology Risk Management a discipline or an art, is it subjective or objective? ( Is information technology deterministic or just overly complex? )
Are IT systems and frameworks closed systems? What comparable frameworks or systems (through which value transits) must defend against sentient attackers who attempt to subvert, control or disable services?
Can organisations quantify the value of information in motion or at rest within their managed footprint? Can they independently verify/audit the flows and data objects present? Somehow the bad guys have a better appreciation for CPU, disk and BW and SERVICE than we have!
Does it come down to simple economics? How to incentivise and penalise?
Surely ‘Critical Infrastructure’ should be held to extremely high standards by an independent body of technical auditors?
Does it really come back to accountability? Do we/they/us/them need to get burned badly (which the miscreants don’t want either!) before we are enlightened…
Can the little guys afford the head count of the big boys? (big boys who actually sometimes have *less* of a clue about their systems than the little guys in the first place!). Is it possible that sink-holing traffic centrally in the cloud will give us the visibility/control we have hoped for? Thin offices perhaps staffed with ‘thin’ people
For me it comes back to a simple paradigm. You can’t manage what you can’t measure. We need to return to atomic units via reductionist thought. This is what I hope shall come with cloud and utility computing. Can you or the cloud provider “afford” NON-integral CPU, DISK, FLOWS, BW, KILOWATTS… runaway code.. such that it now becomes a billing issue? Once IT shops in enterprises start properly implementing “charge-back” rather than a flat rate service we may see some changes…. this coupled with a metric/cost applicable to shared infrastructure such as network fabrics, DNS, NTP, control planes etc…
How can we secure a service when we can’t even charge for a service?
Billing 2.0, Utility 2.0, Employment 2.0
May 5th, 2008 at 11:45 pm
Well, here in the US, our regulations are limited (in large part) to four pieces of legislation: Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and FERPA. In all four cases, increased attention to and spending on security come as a result of the requirements laid out in those bills.
SOX is aimed at publicly-traded companies and focuses on financial controls, not information security. HIPAA focuses on healthcare information, and access to that information in standardized formats to make it easier for insurance companies and hospitals to talk. Again, security only comes into play for portions of HIPAA.
GLBA focuses on banking and FERPA focuses on higher education. In both cases, the laws outline what can and cannot be done with your customer’s data, and places some requirements for protection of data in custody.
In the end, these laws only cover a portion of our commercial field. PCI covers more, but you already addressed that, and it’s not a law. For certain our vendors have seen growth from the regulatory alphabet soup, but none of these laws say “you must be secure.” I think what we’re seeing is increased awareness across the organization, and this is where SOX especially has helped: if your CFO must sign on the dotted line, he or she is [theoretically] going to put in the extra effort to make sure all the necessary controls are in place. And that will include IT security.
As to whether it would be a good thing to have required-by-law information security, of course it sounds nice, and it helps our employability as security professionals. But it’s hard enough to complete a large rollout without huge heated deadlines. SOX was incredibly expensive for public US companies, and it put huge strains on their auditors to get up to speed and cover their half of the bargain.