Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


04:59 PM

2012 Compliance Checklist

Security professionals need to consider these best practices and new compliance requirements as they ring in a new year

When the calendar flips over to a new year in January, organizations will be faced with a new round of compliance demands piled onto the existing ones they might already be struggling to deal with. Here's what a range of industry insiders say should make any organization's to-do list in the coming year.

Show Shareholders The Dirty Laundry, Per SEC Demands
The SEC released a guidance in October that asks public companies to disclose data breaches and "material cyberattacks" that would raise shareholders' eyebrows. This means publicly traded companies need to be ready to report to investors the financial ramifications of hacks and breaches that hit them starting in 2012.

"Members of our profession frequently lament the lack of awareness and visibility of cybersecurity issues with the senior management," says Michael de Crespigny, CEO of Information Security Forum. "This SEC guidance, speaking to management about obligatory disclosures, provides another opportunity to change that. Information security leaders should take the initiative to raise this issue with senior management and explain how your organization should respond."

Work On Layered Security For FFIEC Compliance
Simply installing multifactor authentication alone no longer will cut it for online banking, as the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance that requires financial institutions to implement risk assessment, better fraud protections, and overall layered security to better protect consumer and business customers who use online accounts. Bank examiners will begin to formally assess financial institutions’ compliance beginning in January.

"Start your FFIEC compliance effort by assessing your risk. You will quickly find your customers' PCs at the top of the list. That is the point of attack for criminals using crimeware to take over online accounts," says Ajay Nigam, senior vice president of product management at IronKey. "The FFIEC, electronics payment organization NACHA, the FBI, and market research firm Gartner all recommend layered security starting with the first layer at their client PCs."

Continue To Reduce Scope On Cardholder Data for PCI 2.0
It's been more than a year now since the PCI Council introduced new tweaks to the retail industry's security standard through PCI DSS 2.0. Enforcement of the standard starts in January, making it a good time to continue PCI efforts by revisiting all sources of data and continuing to winnow down the scope of systems covered under the standard.

"PCI DSS regulated data is not going away. Organizations with cardholder data need to delete the data if they can, and if they can't, protect it -- encrypt it, tokenize it -- but don't let it remain in the clear," says Mark Bower, vice president at Voltage Security.

Start Familiarizing Yourself With ISO 27036 For Better Third-Party Audits
"Assuring the security of information entrusted to third parties has always been a concern of the information security function," says Gregory Nowak, principal research analyst for Information Security Forum. "On the opposite side, providers of information-handling services want to assure their clients that their information will be handled appropriately -- but want to avoid excessive workload in support of audit requests from their clients."

Nowak says that the forthcoming ISO/IEC 27036 standard on Information Security for Supplier Relationships has the potential to ease that dissonance and will likely be used by a lot of client organizations to demonstrate vendor compliance. That means both parties would do well to examine the standard before it goes live.

"Getting familiar with the ISO 27036 before the standardization rush should be on the agenda in 2012 for all organizations that outsource information processing, or are planning to -- as well as for information services providers," Nowak says.

Streamline Compliance With GRC Programming
The new hits keep rolling in, as old regulations are updated and new ones are drafted. Security experts recommend that organizations get serious about their governance, risk, and compliance programs to better streamline and consolidate one-off compliance projects.

"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner."

Not only does the program need to be created, but security compliance programs must be meshed with business processes to ensure they work as promised.

"These programs, although built with the best intentions, can fail to meet the dynamic needs of the business and eventually become a painpoint to the organization. In order for a company to maintain a proactive security posture, it must ensure that there are security deliverables integrated into the business," says Mike Weber, managing director of Coalfire Labs. "By requiring security deliverables throughout the IT service management process, a company can ensure its security program stays out in front of business needs and remains relevant and effective as the business evolves."

Next Page: Continuous monitoring

1 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
PUBLISHED: 2020-09-24
PrestaShop from version and before version is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in
PUBLISHED: 2020-09-24
In PrestaShop from version and before version, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...