I recently presented at a webinar alongside LogLogic on the issues of compliance for IT professionals. Here is an edited transcript of my talk.
Until fairly recently, information security people were buried away in server rooms configuring firewalls and patching servers. With the sudden surge of compliance and regulatory requirements being placed onto a business, IT security people are now required to understand and help implement compliance solutions.
But how can security teams help join the dots between their security work and compliance issues? How can compliance requirements be met without placing undue strain on the organisation causing paralysis by analysis? How can information security people add value to a business following a compliance agenda?
The pressure to deliver a secure IT infrastructure against a background of constantly changing compliance and regulatory demands is tough, and not helped by a reduction in budgets to achieve this ever-changing goal. The first part of this process is to get an understanding of exactly what compliance requirements you need to be worried about and, more importantly, those that can be put to the background. Not only do we need to consider state laws, federal laws and international laws, there are industry-specific regulations that further complicate the picture. Those organisations trading across international boundaries face even more challenges as they get to grips with different legal structures and cultural demands. During this webinar you will have a chance to learn about the realities of achieving an acceptable level of compliance for your organisation, and hopefully get some help for your work down in the trenches.
I would imagine that everyone knows only too well the demands on us as information security professionals. I think it could be argued that we have one of the most difficult jobs in the IT business as we need to be seen to add value whilst at the same time often saying no—often a contradictory position.
As the current financial situation rolls on we are faced with doing more with less, and organisations are increasingly worried about reputational risk more than ever before as any damage to the business will have an affect on often slim profits. This work needs to be balanced with the relentless slog of dealing with malware and other unexpected gotchas waiting in the wings to pounce.
Some of us are lucky enough to enjoy a lot of support from the executive team downwards. Unfortunately other boards may see the information security role as nothing but a pain and something they wish they could make go away. If this is your position you have my sympathies!
Data security is now getting a lot of attention as it is subject to legal and regulatory compliance requirements. Failing to adhere to appropriate laws and regulations can result in legal actions, fines, reputational risk and maybe, in extreme circumstances, imprisonment.
The benfits of compliance
Achieving compliance, in the broadest sense of the word, can be a good thing as it often instils good practices and procedures.
On the other hand over-compliance can be detrimental as the business can be bogged down in achieving a goal that delivers little direct business benefit. Many medium-sized businesses are struggling with compliance requirements as they are big enough to be caught by various requirements but too small to have resources to cope. Of course failing a compliance audit can result in lots of difficult questions from the board of directors, shareholders and partners.
The only thing we can promise is that there will be more compliance and regulatory requirements coming down the line to affect data handling and security. The demands of a business culture that is becoming more and more compliance oriented can be major. The problem is that this change in culture leads to some strange ideas.
One objection to additional security spend I hear from businesses is that they are fully compliant, as proved by external auditors, and therefore don’t need much or any more investment in their IT security systems. Some business managers are then astonished when they realise that security has been breached, especially after they had spent considerable sums on establishing this compliant business environment. Indeed, the fact that the business is compliant, whatever that means, has induced a level of complacency in some as regards information security.
IT security managers have a need to help educate business managers in the differences between compliance and security. That way a business can make investment decisions based on accurate information rather than assumptions.
I feel for medium-sized businesses that are captured by the compliance net but have little or no resources to meet what can be seen as an onerous requirement. Fortunately some compliance and regulatory demands have planned for this and offer suitable break points so that small and medium sized business don’t fall foul of regulations whilst being able to run their day to day business.
The cost of poor compliance
So what about the real cost of poor compliance and bad information security? In March 2010 Zurich Insurance announced that it was going to improve its information security after losing personal financial information on 46,000 British clients through careless handling of unencrypted back-up tapes.
The back-up tape, which also contained personal details of 1,800 third party insurance claimants from the UK, was lost by Zurich's South African sister company during what was described as a routine transfer to a data storage facility in South Africa in August 2008.
In total, 51,000 British records were on the tape, along with a much larger number of details about Zurich customers in South Africa (550,000) and Botswana (40,000). Zurich's UK arm wasn't informed about the problem until a year later.
They were fined the equivalent of $5m by the Financial Services Authority, the highest fine levied in the UK on a single firm for data security failings. This is the cost of non-compliance.
In many respects, the United States has led when it comes to data security laws that mandate stricter requirements and harsher penalties if data is compromised.
The implementation of state-level data breach notification laws in California in 2002 was seen as a prime example of addressing individuals' concerns about their data privacy. In this case, if personally identifiable data has been lost then those individuals possibly affected must be notified and steps taken to help them manage any ongoing consequences. 44 of the US states now have similar laws in place but, of course, if data has been demonstrably encrypted, then there would be no obligation to disclose its loss.
Since 2002, many US states have introduced even more draconian laws. The state of Massachusetts has introduced regulation 201 that is designed to protect personal data, for which encryption plays a big part. The compliance date was set for January 2010 and violators face penalties of $5,000 per infringement.
Other US laws encompass data security and imply that data encryption is required, even if it is not explicatively stated in the legislation.
The Health Insurance Portability and Accountability Act of 1996 gives powers to the Department of Health and Human Services to watch over and enforce rules applicable to the safe and secure handling of patient data, including that which contains personally-identifiable health information. It is applicable to all entities that use such data, including healthcare providers, insurance companies and public health authorities. There are three safeguards that need to be implemented covering administration, physical and technical areas of data management. The technical safeguards require that patient health information is not improperly modified and any deliberate misuse could result in a prison term.
The Sarbanes-Oxley Act of 2002 was intended to improve the regulation and accountability of publicly owned companies following the spectacular corporate failures that occurred in the early part of that decade. Under Section 404: Management Assessment of Internal Controls of the Sarbanes-Oxley Act, there is a need to prove the integrity and confidentiality of financial information.
The U.S. Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, in 1999 to assist in the growth of the US financial services industry. One part of the Act (Sec. 501b) addresses the safeguarding of customer information including the integrity and confidentiality of non-public personal information and customer records.
The EU has a very different make up to the United States. The European Union currently comprises 27 member states. It was established following the Maastricht treaty in 1993, which renewed the union originally called the European Economic Community, or EEC. The EU generates approximately 30% of worldwide GDP and has around 500 million citizens.
The EU has developed a system of laws that apply to the movement of goods and people and the creation of a single trading entity. Each member state is subject to both EU and their own locally created national laws. There are countries that form part of Europe geographically but do not have membership of the EU, for example Switzerland. These countries are therefore not subject to EU-based laws.
As part of its remit, the EU has created business-related compliance and regulatory requirements, including laws that cover the safe keeping and management of data in computer systems. Failure to comply with these laws can result in criminal proceedings and prosecutions, so any organisation operating in the EU needs to take such laws as seriously as those developed by individual nation states.
When considering EU law it is important to understand the structure of the EU and how laws are enacted.
The EU Council represents national governments and is a council of ministers run by a 6-month rotating presidency. National ministers attend meetings as appropriate to their portfolio. The European Parliament is elected every five years by citizens of the member states. Members of the European Parliament have geographically-based constituencies that are generally larger than those for members of a national parliament.
The European Commission acts as a civil service and drafts new laws, which are passed to the European Parliament for discussion and enactment. The EU is based on a rule of law, which is laid down in a series of treaties and directives. These then become a collective legislative act of the EU, which is then enacted in member state laws. If a member state fails to enact a suitable law then action can be taken against that state in the European Courts of Justice, which is the judicial institution of the Community.
The compliance and regulatory framework in EMEA is never far from the spotlight, more so as the current worldwide financial situation is forcing regulators to review their oversight and regulatory activities in an attempt to prevent a similar crisis happening again. This is against a backdrop of relentless data loss incidents across both the private and public sector.
So let’s look at some key requirements in detail. The UK Data Protection Act is a useful example of a data privacy law and the PCI DSS is an interesting example of an international requirement put in place by a non-state organisation.
Data Protection Act
The UK Data Protection Act imposes legal obligations on anyone processing personal data to ensure there is good practice and management of that data. In part 1 of the Act there are 8 enforceable principles of good personal information handling. Data must be:
- Accurate and up to date.
- Fairly and lawfully processed.
- Not allowed to leave the UK unless the destination countries have similar legislation.
- Processed in line with a person’s rights.
- Only kept for as long as necessary.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
Part 2 of the act gives individuals rights to find out what personal information is held about them on computers and most paper records. The UK Information Commissioner’s Office (ICO) has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. From April 2010 the ICO can impose penalties not exceeding £500,000 for serious breaches of this act. We are still waiting for the “big one” to hit, but I understand there are some ongoing investigations that may result in the maximum fine. Certainly if the loss of 25 million records, as happened a couple of years ago by the UK’s HM Revenue and Customs happened today then the ICO has publicly stated that it would have levied the maximum fine. Then, of course, we have discussions about public money travelling from one place to another but that is beyond the scope of this presentation.
In Germany the Bundesdatenschutzgesetz (BDSG), adheres to the seven basic principles of EU Directive 95/46/EC in the protection of data relating to individuals or data that allows an individual to be identified. The 16 Länder have their own data protection regulations that cover local public bodies. These local regulations are similar in spirit to the Federal Data Protection Act. In July 2009, German legislature passed a number of amendments to the act to strengthen its powers. Most notably there was a new requirement introduced to provide notification of data breaches in a similar way to the United States. These were effective as from 1st September 2009.
This is probably one of these regulations that appears to have achieved a good compliance vs. effort balance as organisations that I work with are generally satisfied that they can achieve their required level of PCI DSS compliance without it breaking their businesses. If you take a look at the 12 requirements of PCI DSS no one could argue against the sanity of putting in place these measures:
- Build and maintain a secure network including installing and maintaining a firewall configuration to protect cardholder data and not using default passwords.
- Protect cardholder data and encrypt transmission of cardholder data across open, public networks.
- Maintain a vulnerability management program and use regularly updated anti-virus software. Develop and maintain secure systems and applications.
- Implement strong access control measures and restrict access to cardholder data on a need-to-know basis. Assign a unique ID to each person with computer access and restrict physical access to cardholder data.
- Regularly monitor and test networks and track and monitor all access to network resources and cardholder data.
- Maintain a policy that addresses information security.
I don’t see how any information security professional could argue against implementing these requirements as they all go to make up a commonsense set of security structures. Having recently had my credit card details stolen I am as keen as anyone to see merchants achieve a better level of security and compliance.
Contrast the relative clarity of PCI DSS with the Sarbanes-Oxley requirements in the US. This imposes rather mystical requirements on information security. For example section 404 of Sarbanes-Oxley requires organisations to, “provide internal controls and report on their effectiveness” and section 802 says that organisations must, “ensure the integrity and availability of records”. This is a charter for auditors to make a lot of money!
As we have seen, compliance is now a big requirement for many businesses and I think most people would agree that the depth and breadth of compliance requirements is only going to deepen. As organisations switch on to the world of compliance they realise that it is far more cost-effective to run compliant systems 24/7 rather than hastily scrabble to clean up prior to an audit. Those days should be long gone and organisations should ideally be “audit ready” at all times, or at least strive to be. Any investments in systems that assist in gathering data and then produce compliance documentation will inevitably be proven to be a wise one, if even in the short term there is some practical and fiscal pain in purchasing and implementing the system.
This is where knowing the unknowns can pay dividends. I worked with a very large organisation recently that was feeling under pressure to come up to scratch from a compliance viewpoint. The IT infrastructure was (and indeed is) huge, and quite frankly systems, servers, networks and deployments ran away with themselves for a number of years. The IT management was feeling overwhelmed and needed to try and get a grip. To that end they installed and configured some automatic discovery tools to try and scan the network to see how it matched with their “official” documentation. The scale of additional network segments, hidden wireless access points, secret departmental databases and a wealth of other unauthorised IT was frightening.
This shook up the management and lead to a far more structured planning and network management process. Luckily they managed to get most of these issues addressed prior to a looming audit.
Compliance adding value
We, as information security professionals, need to be adding value to the business. Instead of being seen as the people that say no, we should be a conduit to ease the implementation of compliance systems. By understanding not only the technical challenges of compliance requirements but also the business context we can be seen to add value from the off. The good news is that, as we have seen, investing in compliance can also help us deliver a secure working environment. That said, it is beholden on us to ensure the business really understands the difference between compliance and security but at the same time sees the improved business case of delivering appropriate security projects on the back of a compliance requirement. Information technology can be notoriously complex and we often see business managers chased away from involvement in decisions related to technology. Whilst this may be appropriate in very narrow technical decisions it is important that business understands IT and how it is benefiting the business.
From a compliance perspective it is very easy for the business to be frightened by talk of liabilities, whilst technicians appear to spend budgets with limited care for the overall business benefit. When considering IT compliance, it is imperative that a strategic approach is taken based on clear, rational thinking. Many businesses have rushed into a technical solution that was sold as solving compliance issues only for them to quickly realise the limitations of the product.
IT security professionals have a responsibility not only to define an effective technical solution but to ensure that the solution is developed and deployed to mitigate fully the exposure and risks facing the business. Businesses must recognise that IT security is not only an important aspect of today’s business requirements but a permanent feature, the importance of which will only grow as the rights of the individual are ever more politicised and enshrined in EU and national law.
Data is either static or on the move. In both cases businesses must be able to secure it and to demonstrate to all parties that it is doing so. In our industry nothing stays still for long.
A word of caution now needs to be sounded about cloud-based systems and compliance. The race to the cloud has seen a number of organisations fall foul of data protection regulations and issues such as data privacy. Of course the cloud delivers some interesting business benefits but these must be balanced against the associated security and regulatory issues—joining the dots between security and compliance initiatives when talking about cloud computing can be very tricky.
The good news is that aligning information security and compliance, although a challenge, is probably getting easier now than it was up until a couple of years ago. The availability of tools to help in this process should reduce the compliance headache and help us get some value out of the compliance process.
New compliance requirements
We have seen new compliance and legislative requirements continually emerge in response to political initiatives, market dynamics and the need to manage new technologies.
Although many of these were not directly aimed at IT systems it is inevitable that such systems will be used to transport, store and manage data that will be subject to audit and control. There will therefore be a need for data to be held and moved demonstrably in a safe and secure way such that integrity is retained.
Examples include the UK’s smart metering initiative, where household energy meters will be upgraded to devices connected to a network and data transferred automatically to central billing facilities. Requests for data privacy comments have been made by OFGEM, the energy regulator. Although a lot of existing regulations and laws such as the Data Protection Act will be applicable it would not be surprising if tailored requirements emerge.
Effective governance that protects all constituents and demonstrates compliance and clear corporate responsibility will become an increasingly key component of data-related business solutions. Increasing awareness of the consequences of non-compliance will drive requirements for transparency and complete end-to-end visibility of data movements within the enterprise and, ultimately, throughout the value and supply chain.
Does compliance = MOT?
I will leave you with one last thought. Here in the UK, after the second world war, lots of people were driving cars that were in pretty bad repair—brakes were poor, lights were damaged and steering was often ropey. This lead to accidents and injuries that could have been prevented. In 1960 the Ministry of Transport introduced a compulsory test, now commonly called the MOT, on all vehicles over 10 years old in an effort to ban the most dangerous cars from the road. Over time the age of annual tests reduced to its current of 3 years and the breadth and depth of the MOT has now expanded to incorporate new technologies such as catalytic converters.
Is the growth in IT related regulations and compliance requirements following a similar trajectory to the evolution of the MOT test?
All in all we now see far fewer old bangers or clunkers on the road than at anytime in the past and I wonder whether we will benefit in seeing fewer data breaches and security lapses as computer systems are put through regular audits or MOTs.
Of course the mistake many people make when buying a car is to assume that a current MOT certificate is proof that a vehicle is roadworthy. Of course it isn’t—all it means is that at the time of testing the car was able to pass the MOT test.
In a similar way a computer system may pass an audit but very rapidly collapse into a state of non-compliance due to mismanagement. Constant attention to audit and compliance is the only sensible way to manage these needs.
Who knows, with the development of decent compliance and regulations we may see less dangerous IT systems and fewer data loss accidents and mishaps!