JJacott's picture

Identity theft and the huge TJX breach have brought information technology and security to the forefront and now the states of Texas and Massachusetts are contemplating bills that would hold corporations financially responsible for security breaches.

Computerworld’s Article states that “Texas mulls bill that would make PCI requirements a state law”. According to the article, Texas Bill HB 3222 passed the House of Representatives 139-0. It should prove interesting to see what the Texas Senate and Governor Rick Perry have to say about this. Is this really the right move for any state? Massachusetts is also considering legislation that will hold a breached entity responsible for the costs associated with consumer protection.

I feel Information (Security) Standards and Frameworks really should be a part of every corporation’s processes and policies. IS027001, ITIL, CobiT and BS7799 have been around for some time and they are comprehensive and well thought out (IMHO). Is PCI DSS really the right standard to work from? I’d have to say anything is better than nothing but the more comprehensive, the better. I also have mixed feelings about additional legislation. Why not let the corporations hammer it out? Then again, unless there are very specific requirements with repercussions, someone, somewhere will avoid them.

In case you’re unfamiliar PCI DSS has 12 basic requirements:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information.

Seems pretty basic, doesn’t it? As you get deeper into the standard, it becomes somewhat confusing… Then let the bean counters and other wordsmiths at it … Hopefully Texas and the other states that follow suit are smarter than that.

Jeremiah Grossman talked about PCI DSS section 6.6 and the application firewall issues. Some may consider that to be more band-aid work instead of doing the right thing and working on the basic building blocks that build our entire infrastructure – the applications themselves. I would argue that PCI DSS is very close to being a band-aid framework itself. While it is a good small step, it is not comprehensive enough or specific enough to become LAW. Granted, with the Brands backing the standard and certification process, it’s a framework that has some teeth, but I think the jury’s still out on the fines and usage of those “teeth”.

Computers, networks and applications have been around for quite some time (Captain Obvious, there). We rely upon them day in and day out to perform some of our most critical work functions. Protecting these assets, the media &data they control seems (to me, Captain Obvious) to be common sense. Why do we need legislation to force something down our throats? Does this really help us to align Information Security to our business objectives?

Since this is a blog, I should probably venture forth some of my own opinion: I have very mixed feelings about this. As a consultant, I worked with quite a few organizations with an incredibly high tolerance for risk. Controls that would have been very simple to implement were ignored. I witnessed a good deal of ignorant risk avoidance instead of educated risk determination (“if we don’t know about it, we’re not responsible”). Then again, some laws can be used a sales scare tactic: “WE MAKE YOU SOX COMPLIANT” or become a whole industry unto themselves.

PCI is already a requirement at places that take credit cards so a law would only require it in other spheres. Does a blog need to be PCI compliant if they accept personal information in a profile? What is the scope?

Legislation, reasonable or unreasonable, tends to be contagious.

Security awareness is an incredible thing:
California SB1386 brought personal information breach to the forefront of social consciousness. Identity theft has become more prevalent in society. We need to know when/if our personal data has been compromised, so we can determine if it’s being used by someone else. I myself received more than 5 letters from the Veterans Administration when they thought they lost a laptop with Vet’s personal information on it… then received another 5 when they determined they didn’t lose my information and recovered the laptop.

Choicepoint, the first significant public disclosure: of course, they waited quite a bit before disclosing that “identity thieves stole the personal data of at least 163,000 Americans”.

TJX, yet another one:

Would these entities have disclosed their breached status without this legislation?

Bloated legislation, not so hot:
Sarbanes Oxley – Specifically section 404. Whole security industries popped up over night to help with this legislation. Try Googling: “Sarbanes-Oxley act section 404”
Heng Hsieu Lin and Frederick H. Wu wrote about the limitations of Section 404: “This aim is misguided for a number of reasons. First, internal control was not conceptually designed to be a panacea for corporate ills.”

Anecdotal evidence: prior to joining Veracode, I was on site with a customer auditing their IS027001 Information Security Management System. The company had a control (for SOX-404) that stated “An intrusion prevention system (IPS) will be in front of all financial systems”. As part of the diligence process, I requested records of operation, which their policy stated were compiled logs from their IPS. They were unable to produce logs, as the IPS had been turned off. This particular customer had passed their SOX audit with flying colors, yet one of their primary controls had not been active in at least the 9 months preceding their SOX audit.

The Point:
Although I am all for responsibility and actionable policy, why not use common sense, do the right thing and avoid making more bloated laws? If we have to make legislation to cover those that will not perform due diligence in protecting our assets, then make the law actionable, simple, effective, clear and concise. Research before action!

Comments (3)

Rob Newby | May 26, 2007 8:14 am

I contribute to <a href="http://pcianswers.com" rel="nofollow">PCI Compliance Demystified</a> and the biggest problems I hear on a regular basis are:

a) PCI has no teeth
b) PCI is not well defined
c) PCI has no management buy in.

They all amount to the same thing. If it was better defined, it would be more easily enforced, and management would HAVE to comply. I have repeated over and over again that I think PCI DSS should be split into 2 sections, one for the technical specifications and one for the management. Does that sound familiar?

ISO27001 is the management system for ISO17799, indeed it was originally called ISO17799-2. Increasingly companies with knowledgeable CSOs are going for compliance with this European (originally British, like me!) standard, even in the US. Because it's well defined and easy to translate into a technical document. As a result they find that if they are a retailer they are PCI compliant, hospitals are HIPAA compliant, financial insitutions are PCI, GLBA, SOX and MiFID compliant, and all without any extra effort.

John Jacott | May 30, 2007 1:30 pm

I agree with going with a more rounded ISMS... then again, I've worked as an auditor and author on a few 27001 projects. The problem most people see about it: It's voluntary!

Some folks, like these legislators, think they need to mandate common sense to make people practice due diligence. In some instances, I agree.

Like you, I agree that the legislation they're choosing is rather undefined, unenforced and un-purchased by management.

Mike | July 25, 2007 10:27 pm

It is having said that until today 2007 many of big and small organizations are unaware about many of the regulatory compliance like the healthcare organization are unaware about HIPAA, retailer organization are unaware about PCI, industrial manufacturing organization are unaware about OSHA and so on, or else I think that these organization are purposely not making any effort to make self complaint with these regulatory authorities. Now here we cannot blame all on these organizations because like John had mentioned that PCI has no teeth, same is with HIPAA and also for many other regulatory authorities. With the growing incidence of privacy breaches the compliance authorities should need to put more efforts bringing awareness about the compliance and should try to make it easy and cost effective for organization to get compliant. I have just came across one website which provides a wonderful tool to comply with regulations like PCI and it also helps in complying with many other regulations also. A crosswalk matrix poster between different regulations of <a href="http://www.compliancehome.com/symantec/" rel="nofollow"> Symantec </a> is a very useful tool for compliance team and risk management office. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada).

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.