Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

12/5/2011
04:59 PM
50%
50%

2012 Compliance Checklist

Security professionals need to consider these best practices and new compliance requirements as they ring in a new year

When the calendar flips over to a new year in January, organizations will be faced with a new round of compliance demands piled onto the existing ones they might already be struggling to deal with. Here's what a range of industry insiders say should make any organization's to-do list in the coming year.

Show Shareholders The Dirty Laundry, Per SEC Demands
The SEC released a guidance in October that asks public companies to disclose data breaches and "material cyberattacks" that would raise shareholders' eyebrows. This means publicly traded companies need to be ready to report to investors the financial ramifications of hacks and breaches that hit them starting in 2012.

"Members of our profession frequently lament the lack of awareness and visibility of cybersecurity issues with the senior management," says Michael de Crespigny, CEO of Information Security Forum. "This SEC guidance, speaking to management about obligatory disclosures, provides another opportunity to change that. Information security leaders should take the initiative to raise this issue with senior management and explain how your organization should respond."

Work On Layered Security For FFIEC Compliance
Simply installing multifactor authentication alone no longer will cut it for online banking, as the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance that requires financial institutions to implement risk assessment, better fraud protections, and overall layered security to better protect consumer and business customers who use online accounts. Bank examiners will begin to formally assess financial institutions’ compliance beginning in January.

"Start your FFIEC compliance effort by assessing your risk. You will quickly find your customers' PCs at the top of the list. That is the point of attack for criminals using crimeware to take over online accounts," says Ajay Nigam, senior vice president of product management at IronKey. "The FFIEC, electronics payment organization NACHA, the FBI, and market research firm Gartner all recommend layered security starting with the first layer at their client PCs."

Continue To Reduce Scope On Cardholder Data for PCI 2.0
It's been more than a year now since the PCI Council introduced new tweaks to the retail industry's security standard through PCI DSS 2.0. Enforcement of the standard starts in January, making it a good time to continue PCI efforts by revisiting all sources of data and continuing to winnow down the scope of systems covered under the standard.

"PCI DSS regulated data is not going away. Organizations with cardholder data need to delete the data if they can, and if they can't, protect it -- encrypt it, tokenize it -- but don't let it remain in the clear," says Mark Bower, vice president at Voltage Security.

Start Familiarizing Yourself With ISO 27036 For Better Third-Party Audits
"Assuring the security of information entrusted to third parties has always been a concern of the information security function," says Gregory Nowak, principal research analyst for Information Security Forum. "On the opposite side, providers of information-handling services want to assure their clients that their information will be handled appropriately -- but want to avoid excessive workload in support of audit requests from their clients."

Nowak says that the forthcoming ISO/IEC 27036 standard on Information Security for Supplier Relationships has the potential to ease that dissonance and will likely be used by a lot of client organizations to demonstrate vendor compliance. That means both parties would do well to examine the standard before it goes live.

"Getting familiar with the ISO 27036 before the standardization rush should be on the agenda in 2012 for all organizations that outsource information processing, or are planning to -- as well as for information services providers," Nowak says.

Streamline Compliance With GRC Programming
The new hits keep rolling in, as old regulations are updated and new ones are drafted. Security experts recommend that organizations get serious about their governance, risk, and compliance programs to better streamline and consolidate one-off compliance projects.

"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner."

Not only does the program need to be created, but security compliance programs must be meshed with business processes to ensure they work as promised.

"These programs, although built with the best intentions, can fail to meet the dynamic needs of the business and eventually become a painpoint to the organization. In order for a company to maintain a proactive security posture, it must ensure that there are security deliverables integrated into the business," says Mike Weber, managing director of Coalfire Labs. "By requiring security deliverables throughout the IT service management process, a company can ensure its security program stays out in front of business needs and remains relevant and effective as the business evolves."

Next Page: Continuous monitoring

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.