Archive for Compliance
February 16, 2010 at 12:36 pm · Filed under Compliance, Risk Management
By Greg Hoffer
In a recent interview with CNET, Bob Russo, general manager of the PCI Security Standards Council noted, “Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance.”
Russo’s point about continuous versus point-in-time compliance is interesting on many levels. As a respectable business or IT leader, you can’t argue with the fact that companies must not only meet government and industry standards at a single point in time, but that they must also update processes, tools and systems to maintain their compliance as regulations shift and change. In order to ensure information security (that you’ve mitigated risk to an acceptable level), you must treat the policies, processes and tools that you use to protect sensitive data as an evolving, imperfect set of entities.
However, it’s somewhat of a cop-out by Russo and the council to imply that because companies are not completely in compliance all the time, their information and systems are any more vulnerable than those who might be in complete compliance all of the time. To take it one step further, he also seems to be saying that a company’s lack of compliance explains why a breach occurred. Might it be possible that the standards really only provide a false sense of security for consumers?
Read the rest of this entry »
January 15, 2010 at 10:49 am · Filed under Compliance, Risk Management
By Greg Hoffer
The New Year marked an important milestone in our national history. For the first time, we’re seeing a state turn commercial industry standards for data security and privacy into law.
Nevada’s new privacy legislation, which took effect on January 1, requires government agencies and companies that conduct business in the state and accept payment cards to comply entirely with the Payment Card Industry Data Security Standard (PCI DSS). Those agencies and companies that do not accept payment cards cannot electronically transmit customers’ personal information nor move data storage devices containing customer data outside of the business unless the transmission or data storage device is encrypted. In the statute, another well-known industry standards organization, the National Institute of Standards and Technology (NIST), is used to define acceptable encryption practices.
Security standards put forth by organizations such as PCI and NIST have long been leveraged, independently, by both public and private industry in the U.S. to mitigate the inherent risk posed by electronically transferring sensitive data inside and outside of an organization, and in storing it once it reaches its destination. Updated regularly and crafted by some of the world’s leading information security experts, such industry standards represent a necessary baseline for any organization to improve its overall security procedures. These standards are an excellent place for lawmakers to start when forming meaningful cyber security legislation that protects U.S. citizens, or anyone who does business within the U.S.
Read the rest of this entry »
December 9, 2009 at 10:43 am · Filed under Compliance, Risk Management
By Craig Robinson
In a word: No!
Regardless of whether you’re at a publicly traded company, dealing with sensitive patient information, or processing credit card data, you’ve heard of SOX, HIPAA, and PCI. You can’t read industry publications, watch the news, or have a business discussion without these acronyms darting in and out of the conversation. Rather than bemoan the inconvenience, we must recognize that the highly visible transgressions, or potential transgressions, of a few may result in regulatory compliance initiatives that impact all of us. We’ve seen this with SOX (in response to the Enron disaster and other similar instances of corporate misconduct) and more recently, with PCI (in response to the T.J. Maxx and Heartland breaches).
Public confidence in business-enabling technology, and in associated processes and controls, is fundamental to our economic stability. Issues of data protection, personal privacy, and corporate controls have been front and center in our increasingly digital world. Who hasn’t paused for a few seconds (or minutes!) before entering credit card information for an online purchase? Who hasn’t wondered what really happened when a seemingly viable business (think financial institution) suddenly collapses and news reports begin to describe all of the prior danger signs?
Read the rest of this entry »
« Previous entries
