Posted by Buck Kulkarni on 18 Aug 2014
You never consciously thought about IT security when you wrote code for main-frame computers or even early PCs. They were secure by default or at least, so you thought.
Two developments turned this on its head over the last 15 years. Web became the principal conduit for your applications and very quickly at that. Your software was suddenly visible to almost anyone anywhere in the world. This was great for your business, great for the good guys who you wanted to talk to but it was even better for the bad guys. In the early days, the nerds just wanted to fool around and show off but very quickly, the real bad guys realized the potential to make huge money with almost no risk or barriers. In response to these threats, various governments and industry bodies jumped in. With good intent, they wrote many regulations and best practices that they wanted everyone to follow to improve their individual security posture as well as make the whole world a safer place.
While no one denies the good intent, the regulatory canvas becomes more difficult by the day for a business to understand and comply with. Regulations are made by different departments of the government with national ramification but only for a slice of the industry that the department has authority over. They are also made by state or local governments that have very specific geographic implications but over a broad range of industries (or even all industries). And then there are regulations made by foreign governments that apply to you because you have a customer in that government’s jurisdiction and finally, there are attempts are self-regulation by industry bodies themselves hoping to clean up the act of its participants before government steps in with severe regulation and penalties.
Let us take a quick look at some of the major regulations to understand the complexity of this situation:
Sarbanes-Oxley Act: The Sarbanes-Oxley Act of 2002 (SOX) was a response to corporate scandals. Its most prominent aspect, from an IT perspective, is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. The section 404 is literally a one-liner that kick-started an entire industry of security audits and remediation.
Gramm-Leach-Bliley Act: The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records.
Health Insurance Portability and Accountability Act: The Health Insurance Portability and Accountability Act (HIPAA) includes, among its various components, privacy and security rules. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers.
Bank Secrecy Act: The Bank Secrecy Act (BSA), is one of the oldest laws on this list, having been passed into law by the United States in 1970. The BSA is sometimes referred to as an Anti Money-Laundering law (AML) or as BSA/AML. The BSA requires banks and other financial institutions to report certain transactions to government agencies and to withhold from clients that such reports were filed about them.
USA PATRIOT Act: The USA PATRIOT Act (Public Law 107–56) is federal legislation in the U.S. passed soon after the September 11, 2001 terrorist attacks, the Act expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the U.S. and abroad. This expanded legal authority is also used to detect and prosecute other alleged crimes.
The Federal Information Security Management Act: The Federal Information Security Management Act of 2002 (FISMA) was enacted to bolster computer and network security within the U.S. federal government and affiliated parties (such as government contractors) by mandating yearly audits. If you are a government body or do business with US government bodies, you need to comply with this Act.
Payment Card Industry Data Security Standard: The PCI Data Security Standard consists of 12 basic requirements supported by very detailed granular guidance on technology security management. This is one of the self-regulation efforts and with continued massive credit card data breaches at organizations that have been PCI DSS attested for years, this standard gets more than its share of criticism as to its effectiveness.
California Senate Bill 1386 (CA SB 1386) was introduced in July 2003 as a first attempt by a state legislature to address the problem of identity theft. In short, the bill introduces stiff disclosure requirements for businesses and government agencies that experience security breaches that might endanger the personal information of California residents. Bottom-line, if there is one resident of California in your database (employee, customer, vendor, casual visitor), you need to worry about this Act.
European Union Data Protection Directive: The European Union Data Protection Directive (EUDPD) standardizes the protection of data privacy for citizens throughout the European Union (EU) by providing baseline requirements that all EU member states must achieve in national regulations. Each EU member nation passes its own laws that must be independently complied with.
Personal Information Protection and Electronic Documents Act: (PIPEDA) is a Canadian federal regulation that governs the collection, use, and disclosure of personally identifiable information in the course of commercial transactions. The act was created in response to European Union data protection directives that limit trade with nations whose privacy protection does not meet EU standards.
There are, of course, dozens of more regulations but the above sample is suffice to give you a small snapshot of the complexity and size of effort involved in complying.
We, at Alacriti, are smack in the middle of all these regulations as our customers are primarily from Financial Services, Insurance, Healthcare, Retail and Public Utilities. These industry segments are among the most heavily regulated and as their partner in information capture, processing, storage and transmission, they expect us to build our systems and services that fully comply with these regulations and help them maintain a very secure and compliant posture at all times. We are often a party to the audits their internal or external auditors or even examiners conduct to ensure that things are in good hands at our end.
From topical security measures to building enterprise-wide risk and security management programs, we have come a long way in our security journey only to realize that a much longer journey lies ahead of us.