Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

12/5/2011
04:59 PM
50%
50%

2012 Compliance Checklist

Security professionals need to consider these best practices and new compliance requirements as they ring in a new year

When the calendar flips over to a new year in January, organizations will be faced with a new round of compliance demands piled onto the existing ones they might already be struggling to deal with. Here's what a range of industry insiders say should make any organization's to-do list in the coming year.

Show Shareholders The Dirty Laundry, Per SEC Demands
The SEC released a guidance in October that asks public companies to disclose data breaches and "material cyberattacks" that would raise shareholders' eyebrows. This means publicly traded companies need to be ready to report to investors the financial ramifications of hacks and breaches that hit them starting in 2012.

"Members of our profession frequently lament the lack of awareness and visibility of cybersecurity issues with the senior management," says Michael de Crespigny, CEO of Information Security Forum. "This SEC guidance, speaking to management about obligatory disclosures, provides another opportunity to change that. Information security leaders should take the initiative to raise this issue with senior management and explain how your organization should respond."

Work On Layered Security For FFIEC Compliance
Simply installing multifactor authentication alone no longer will cut it for online banking, as the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance that requires financial institutions to implement risk assessment, better fraud protections, and overall layered security to better protect consumer and business customers who use online accounts. Bank examiners will begin to formally assess financial institutions’ compliance beginning in January.

"Start your FFIEC compliance effort by assessing your risk. You will quickly find your customers' PCs at the top of the list. That is the point of attack for criminals using crimeware to take over online accounts," says Ajay Nigam, senior vice president of product management at IronKey. "The FFIEC, electronics payment organization NACHA, the FBI, and market research firm Gartner all recommend layered security starting with the first layer at their client PCs."

Continue To Reduce Scope On Cardholder Data for PCI 2.0
It's been more than a year now since the PCI Council introduced new tweaks to the retail industry's security standard through PCI DSS 2.0. Enforcement of the standard starts in January, making it a good time to continue PCI efforts by revisiting all sources of data and continuing to winnow down the scope of systems covered under the standard.

"PCI DSS regulated data is not going away. Organizations with cardholder data need to delete the data if they can, and if they can't, protect it -- encrypt it, tokenize it -- but don't let it remain in the clear," says Mark Bower, vice president at Voltage Security.

Start Familiarizing Yourself With ISO 27036 For Better Third-Party Audits
"Assuring the security of information entrusted to third parties has always been a concern of the information security function," says Gregory Nowak, principal research analyst for Information Security Forum. "On the opposite side, providers of information-handling services want to assure their clients that their information will be handled appropriately -- but want to avoid excessive workload in support of audit requests from their clients."

Nowak says that the forthcoming ISO/IEC 27036 standard on Information Security for Supplier Relationships has the potential to ease that dissonance and will likely be used by a lot of client organizations to demonstrate vendor compliance. That means both parties would do well to examine the standard before it goes live.

"Getting familiar with the ISO 27036 before the standardization rush should be on the agenda in 2012 for all organizations that outsource information processing, or are planning to -- as well as for information services providers," Nowak says.

Streamline Compliance With GRC Programming
The new hits keep rolling in, as old regulations are updated and new ones are drafted. Security experts recommend that organizations get serious about their governance, risk, and compliance programs to better streamline and consolidate one-off compliance projects.

"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner."

Not only does the program need to be created, but security compliance programs must be meshed with business processes to ensure they work as promised.

"These programs, although built with the best intentions, can fail to meet the dynamic needs of the business and eventually become a painpoint to the organization. In order for a company to maintain a proactive security posture, it must ensure that there are security deliverables integrated into the business," says Mike Weber, managing director of Coalfire Labs. "By requiring security deliverables throughout the IT service management process, a company can ensure its security program stays out in front of business needs and remains relevant and effective as the business evolves."

Next Page: Continuous monitoring

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.