When the calendar flips over to a new year in January, organizations will be faced with a new round of compliance demands piled onto the existing ones they might already be struggling to deal with. Here's what a range of industry insiders say should make any organization's to-do list in the coming year.
Show Shareholders The Dirty Laundry, Per SEC Demands
The SEC released a guidance in October that asks public companies to disclose data breaches and "material cyberattacks" that would raise shareholders' eyebrows. This means publicly traded companies need to be ready to report to investors the financial ramifications of hacks and breaches that hit them starting in 2012.
"Members of our profession frequently lament the lack of awareness and visibility of cybersecurity issues with the senior management," says Michael de Crespigny, CEO of Information Security Forum. "This SEC guidance, speaking to management about obligatory disclosures, provides another opportunity to change that. Information security leaders should take the initiative to raise this issue with senior management and explain how your organization should respond."
Work On Layered Security For FFIEC Compliance
Simply installing multifactor authentication alone no longer will cut it for online banking, as the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance that requires financial institutions to implement risk assessment, better fraud protections, and overall layered security to better protect consumer and business customers who use online accounts. Bank examiners will begin to formally assess financial institutions’ compliance beginning in January.
"Start your FFIEC compliance effort by assessing your risk. You will quickly find your customers' PCs at the top of the list. That is the point of attack for criminals using crimeware to take over online accounts," says Ajay Nigam, senior vice president of product management at IronKey. "The FFIEC, electronics payment organization NACHA, the FBI, and market research firm Gartner all recommend layered security starting with the first layer at their client PCs."
Continue To Reduce Scope On Cardholder Data for PCI 2.0
It's been more than a year now since the PCI Council introduced new tweaks to the retail industry's security standard through PCI DSS 2.0. Enforcement of the standard starts in January, making it a good time to continue PCI efforts by revisiting all sources of data and continuing to winnow down the scope of systems covered under the standard.
"PCI DSS regulated data is not going away. Organizations with cardholder data need to delete the data if they can, and if they can't, protect it -- encrypt it, tokenize it -- but don't let it remain in the clear," says Mark Bower, vice president at Voltage Security.
Start Familiarizing Yourself With ISO 27036 For Better Third-Party Audits
"Assuring the security of information entrusted to third parties has always been a concern of the information security function," says Gregory Nowak, principal research analyst for Information Security Forum. "On the opposite side, providers of information-handling services want to assure their clients that their information will be handled appropriately -- but want to avoid excessive workload in support of audit requests from their clients."
Nowak says that the forthcoming ISO/IEC 27036 standard on Information Security for Supplier Relationships has the potential to ease that dissonance and will likely be used by a lot of client organizations to demonstrate vendor compliance. That means both parties would do well to examine the standard before it goes live.
"Getting familiar with the ISO 27036 before the standardization rush should be on the agenda in 2012 for all organizations that outsource information processing, or are planning to -- as well as for information services providers," Nowak says.
Streamline Compliance With GRC Programming
The new hits keep rolling in, as old regulations are updated and new ones are drafted. Security experts recommend that organizations get serious about their governance, risk, and compliance programs to better streamline and consolidate one-off compliance projects.
"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," says Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner."
Not only does the program need to be created, but security compliance programs must be meshed with business processes to ensure they work as promised.
"These programs, although built with the best intentions, can fail to meet the dynamic needs of the business and eventually become a painpoint to the organization. In order for a company to maintain a proactive security posture, it must ensure that there are security deliverables integrated into the business," says Mike Weber, managing director of Coalfire Labs. "By requiring security deliverables throughout the IT service management process, a company can ensure its security program stays out in front of business needs and remains relevant and effective as the business evolves."
Next Page: Continuous monitoring
Work Toward Continuous Monitoring
Michael Hamelin, chief security architect for Tufin, predicts that 2012 will be the year of continuous compliance in many auditors' books.
"In other words, organizations will have to demonstrate that they can track any changes to their compliance posture and audit as needed, as opposed to referring back to a single point in time based on their last audit," Hamelin says. "As a result, investing in automating the audit process will be top of project lists for 2012, which will result in many organizations adopting more mature and effective processes for managing compliance." The automation part is the key, says Patrick Taylor, CEO of Oversight Systems, who emphasizes continuous monitoring as a path to continuous compliance.
“Even the best defenses are routinely defeated by social engineering and other surprisingly low-tech attacks. Businesses need to find and correct fraudulent transactions that come from these attacks as they are recorded, not weeks or months after the fact," he says. "Continuous monitoring uses targeted real-time analytics to deliver this additional line of protection -- even when network defenses have been thoroughly compromised.”
Make Someone Accountable
If you haven't done so already, then make 2012 the year that your organization appoints ownership of compliance responsibilities to someone.
"Assign clear compliance responsibility to a specific authority within your organization. And along with that responsibility, don't forget to give them the authority to actually meet those goals," says Jon Heimerl, director of strategic security for Solutionary. "Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process."
Watch Out For HIPAA Audits
Healthcare organizations could be in for a big-time reality check in 2012, Heimerl warns.
"The Office for Civil Rights (OCR) has initiated a pilot program to audit Covered Entities for HIPAA compliance," he says. "The program is a pretty aggressive program and will help lead to more frequent HIPAA compliance audits in the future."
One of the most important things to understand about this program is that when the organization in question is notified by OCR that it is subject to audit, it will have only 10 days to submit all of the required compliance documentation. That means if you aren't already prepared, you're pretty much up the proverbial creek without a paddle.
"This time frame is short enough that if you do not have your compliance well-defined, you will not be in a position where you will be able to meet this deadline," he says.
Treat FinCEN Seriously
Financial institutions might be focused on FFIEC right now, but they'd do well to keep an eye out for new updates from the Financial Crimes Enforcement Network (FinCEN) to its requirements for managing electronic reporting for Suspicious Activity Report (SAR) filing that will potentially go into effect in June.
"The Department of Treasury is serious about this update, and we should take it seriously when they discuss fines for noncompliance," Heimerl says.
Get IAM Control
One of the most impactful ways to improve audit results in 2012 and beyond is to do a better job bringing privileges into check and revamping identity and access management strategies to improve control and visibility.
"Identity and access management is a key component of an effective compliance strategy. Organizations cannot maintain control of compliance processes unless they know who has access to vital IT resources and what they're using them for," says Dave Fowler, the COO of Courion. "That calls for intelligence based on user data that quickly reveals associations and patterns that might violate compliance guidelines and company policies, or indicates hidden risks."
Top of the IAM to-do list should be the application of the rule of least privilege within all environments.
"Eliminating overprivileged users inside your organization will aid in compliance satisfaction as most regulations -- SOX, HiPAA, GLB, PCI -- have a clause on level of access to key IT assets," says Jim Zierick, executive vice president of product operations at BeyondTrust. "All IT assets need administration, but this level of privilege also opens the path to abuse and actions outside of corporate governance or regulated policies. "
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.