Identity theft and the huge TJX breach have brought information technology and security to the forefront and now the states of Texas and Massachusetts are contemplating bills that would hold corporations financially responsible for security breaches.
Computerworld’s Article states that “Texas mulls bill that would make PCI requirements a state law”. According to the article, Texas Bill HB 3222 passed the House of Representatives 139-0. It should prove interesting to see what the Texas Senate and Governor Rick Perry have to say about this. Is this really the right move for any state? Massachusetts is also considering legislation that will hold a breached entity responsible for the costs associated with consumer protection.
I feel Information (Security) Standards and Frameworks really should be a part of every corporation’s processes and policies. IS027001, ITIL, CobiT and BS7799 have been around for some time and they are comprehensive and well thought out (IMHO). Is PCI DSS really the right standard to work from? I’d have to say anything is better than nothing but the more comprehensive, the better. I also have mixed feelings about additional legislation. Why not let the corporations hammer it out? Then again, unless there are very specific requirements with repercussions, someone, somewhere will avoid them.
In case you’re unfamiliar PCI DSS has 12 basic requirements:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information.
Seems pretty basic, doesn’t it? As you get deeper into the standard, it becomes somewhat confusing… Then let the bean counters and other wordsmiths at it … Hopefully Texas and the other states that follow suit are smarter than that.
Jeremiah Grossman talked about PCI DSS section 6.6 and the application firewall issues. Some may consider that to be more band-aid work instead of doing the right thing and working on the basic building blocks that build our entire infrastructure – the applications themselves. I would argue that PCI DSS is very close to being a band-aid framework itself. While it is a good small step, it is not comprehensive enough or specific enough to become LAW. Granted, with the Brands backing the standard and certification process, it’s a framework that has some teeth, but I think the jury’s still out on the fines and usage of those “teeth”.
Computers, networks and applications have been around for quite some time (Captain Obvious, there). We rely upon them day in and day out to perform some of our most critical work functions. Protecting these assets, the media &data they control seems (to me, Captain Obvious) to be common sense. Why do we need legislation to force something down our throats? Does this really help us to align Information Security to our business objectives?
Since this is a blog, I should probably venture forth some of my own opinion: I have very mixed feelings about this. As a consultant, I worked with quite a few organizations with an incredibly high tolerance for risk. Controls that would have been very simple to implement were ignored. I witnessed a good deal of ignorant risk avoidance instead of educated risk determination (“if we don’t know about it, we’re not responsible”). Then again, some laws can be used a sales scare tactic: “WE MAKE YOU SOX COMPLIANT” or become a whole industry unto themselves.
PCI is already a requirement at places that take credit cards so a law would only require it in other spheres. Does a blog need to be PCI compliant if they accept personal information in a profile? What is the scope?
Legislation, reasonable or unreasonable, tends to be contagious.
Security awareness is an incredible thing:
California SB1386 brought personal information breach to the forefront of social consciousness. Identity theft has become more prevalent in society. We need to know when/if our personal data has been compromised, so we can determine if it’s being used by someone else. I myself received more than 5 letters from the Veterans Administration when they thought they lost a laptop with Vet’s personal information on it… then received another 5 when they determined they didn’t lose my information and recovered the laptop.
Choicepoint, the first significant public disclosure: of course, they waited quite a bit before disclosing that “identity thieves stole the personal data of at least 163,000 Americans”.
TJX, yet another one:
Would these entities have disclosed their breached status without this legislation?
Bloated legislation, not so hot:
Sarbanes Oxley – Specifically section 404. Whole security industries popped up over night to help with this legislation. Try Googling: “Sarbanes-Oxley act section 404”
Heng Hsieu Lin and Frederick H. Wu wrote about the limitations of Section 404: “This aim is misguided for a number of reasons. First, internal control was not conceptually designed to be a panacea for corporate ills.”
Anecdotal evidence: prior to joining Veracode, I was on site with a customer auditing their IS027001 Information Security Management System. The company had a control (for SOX-404) that stated “An intrusion prevention system (IPS) will be in front of all financial systems”. As part of the diligence process, I requested records of operation, which their policy stated were compiled logs from their IPS. They were unable to produce logs, as the IPS had been turned off. This particular customer had passed their SOX audit with flying colors, yet one of their primary controls had not been active in at least the 9 months preceding their SOX audit.
The Point:
Although I am all for responsibility and actionable policy, why not use common sense, do the right thing and avoid making more bloated laws? If we have to make legislation to cover those that will not perform due diligence in protecting our assets, then make the law actionable, simple, effective, clear and concise. Research before action!