2012 Compliance Checklist
Security professionals need to consider these best practices and new compliance requirements as they ring in a new year
When the calendar flips over to a new year in January, organizations will be faced with a new round of compliance demands piled onto the existing ones they might already be struggling to deal with. Here's what a range of industry insiders say should make any organization's to-do list in the coming year.
Show Shareholders The Dirty Laundry, Per SEC Demands
The SEC released a guidance in October that asks public companies to disclose data breaches and "material cyberattacks" that would raise shareholders' eyebrows. This means publicly traded companies need to be ready to report to investors the financial ramifications of hacks and breaches that hit them starting in 2012.
More Security Insights
White PapersMore >>
"Members of our profession frequently lament the lack of awareness and visibility of cybersecurity issues with the senior management," says Michael de Crespigny, CEO of Information Security Forum. "This SEC guidance, speaking to management about obligatory disclosures, provides another opportunity to change that. Information security leaders should take the initiative to raise this issue with senior management and explain how your organization should respond."
Work On Layered Security For FFIEC Compliance
Simply installing multifactor authentication alone no longer will cut it for online banking, as the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance that requires financial institutions to implement risk assessment, better fraud protections, and overall layered security to better protect consumer and business customers who use online accounts. Bank examiners will begin to formally assess financial institutions’ compliance beginning in January.
"Start your FFIEC compliance effort by assessing your risk. You will quickly find your customers' PCs at the top of the list. That is the point of attack for criminals using crimeware to take over online accounts," says Ajay Nigam, senior vice president of product management at IronKey. "The FFIEC, electronics payment organization NACHA, the FBI, and market research firm Gartner all recommend layered security starting with the first layer at their client PCs."
Continue To Reduce Scope On Cardholder Data for PCI 2.0
It's been more than a year now since the PCI Council introduced new tweaks to the retail industry's security standard through PCI DSS 2.0. Enforcement of the standard starts in January, making it a good time to continue PCI efforts by revisiting all sources of data and continuing to winnow down the scope of systems covered under the standard.
"PCI DSS regulated data is not going away. Organizations with cardholder data need to delete the data if they can, and if they can't, protect it -- encrypt it, tokenize it -- but don't let it remain in the clear," says Mark Bower, vice president at Voltage Security.
Start Familiarizing Yourself With ISO 27036 For Better Third-Party Audits
"Assuring the security of information entrusted to third parties has always been a concern of the information security function," says Gregory Nowak, principal research analyst for Information Security Forum. "On the opposite side, providers of information-handling services want to assure their clients that their information will be handled appropriately -- but want to avoid excessive workload in support of audit requests from their clients."
Nowak says that the forthcoming ISO/IEC 27036 standard on Information Security for Supplier Relationships has the potential to ease that dissonance and will likely be used by a lot of client organizations to demonstrate vendor compliance. That means both parties would do well to examine the standard before it goes live.
"Getting familiar with the ISO 27036 before the standardization rush should be on the agenda in 2012 for all organizations that outsource information processing, or are planning to -- as well as for information services providers," Nowak says.
Streamline Compliance With GRC Programming
The new hits keep rolling in, as old regulations are updated and new ones are drafted. Security experts recommend that organizations get serious about their governance, risk, and compliance programs to better streamline and consolidate one-off compliance projects.
"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner."
Not only does the program need to be created, but security compliance programs must be meshed with business processes to ensure they work as promised.
"These programs, although built with the best intentions, can fail to meet the dynamic needs of the business and eventually become a painpoint to the organization. In order for a company to maintain a proactive security posture, it must ensure that there are security deliverables integrated into the business," says Mike Weber, managing director of Coalfire Labs. "By requiring security deliverables throughout the IT service management process, a company can ensure its security program stays out in front of business needs and remains relevant and effective as the business evolves."
Next Page: Continuous monitoring