|
|
Feel Good About Your Network
|
IDsec Limited
31-33 College Road
Harrow, Middlesex
HA1 1EJ
United Kingdom
(London: Map)
T: 020 8861 2001
F: 020 8861 3433
www.idsec.co.uk
Copyright © 2012
IDsec Ltd
5.11
|
|
|
|
|
|
|
|
|
 |
Are regulatory demands and operational security compatible?
Will compliance spending help other security objectives?
By Simon Smith and Stephen Bishop
|
|
|
|
| What Are These Regulations? |
|
|
|
There has been much talk of late about
corporate governance regulations coming from
Europe and the US as well as our own
government in the UK. Loosely bundled
together under the tag “compliance” are a whole
range of laws and standards including Sarbanes-
Oxley, FSA, Basel II, Visa PCI and HIPAA.
Some of them are fairly scary but what do they
actually cover?
Perhaps it's best to look at the scariest of all,
Sarbanes-Oxley: strictly speaking this only
applies to companies trading in the US, but it is
a useful indication of the direction of
forthcoming European regulation. This law is
about showing that a company's financial
statements are a true reflection of their financial
state, reducing the likelihood that it can act
fraudulently and also quantifying its level of
exposure to the risk of unplanned and
unexpected losses.
Alternatively, in the commercial sector, the
Payment Card Industry (PCI) data security
standard is a comprehensive set of requirements
for securely transmitting and storing customer
data, designed to prevent fraud and protect
consumer privacy. It applies to all merchants
and service providers that store, process, or
transmit cardholder data as well as the “system
components” included in, or connected to, the
cardholder data environment. The bottom line is
that Visa will no longer take responsibility for
fraudulent transactions if compliance is not
achieved.
All these are laudable goals that few of us would
disagree with, but what do they mean for a
network manager or IT security consultant in
their everyday work?
|
|
|
Some more detail on SOX may be helpful. It has four sections that may
impact on IT:
-
302: states that certifying officers in a company are responsible for
establishing and maintaining internal controls over financial
accounting that will verify the accuracy, reliability and
accountability of corporate disclosures
-
404: requires annual assessments of the effectiveness of whatever
internal controls the corporation has established
-
409: requires publicly traded companies to promptly report any
changes in financial condition or reporting that might be material to
investors
-
802: mandates that companies and their auditors maintain accounting
documents and work papers for a minimum of seven years
But this law does not specify how these controls are to be achieved -
it does not deal in mechanisms and technology.
|
|
|
The Payment Card Industry standard, however,
has more concrete requirements that relate more
closely to the building blocks of company
networks:
| Build and Maintain a Secure Network |
|
|
|
1 |
|
Install and maintain a firewall configuration to protect data. |
|
|
|
2 |
|
Do not use vendor-supplied defaults for system passwords and other security parameters. |
|
|
|
3 |
|
Protect stored data. |
|
|
|
4 |
|
Encrypt transmission of cardholder data and sensitive information across public networks. |
|
| Maintain a Vulnerability Management Program |
|
|
|
5 |
|
Use and regularly update anti-virus software. |
|
|
|
6 |
|
Develop and maintain secure systems and applications. |
|
| Implement Strong Access Control Measures |
|
|
|
7 |
|
Restrict access to data by business need-to-know. |
|
|
|
8 |
|
Assign a unique ID to each person with computer access. |
|
|
|
9 |
|
Restrict physical access to cardholder data. |
|
| Regularly Monitor and Test Networks |
|
|
|
10 |
|
Track and monitor all access to network resources and cardholder data. |
|
|
|
11 |
|
Regularly test security systems and processes. |
|
| Maintain an Information Security Policy |
|
|
|
12 |
|
Maintain a policy that addresses information security. |
|
|
|
|
So PCI gets closer to the nuts and bolts, but still
no one says you have to have an intrusion
protection system, proxy or other application
security device. Technology is certainly not the
driver and will not work alone.
More to the point, compliance touches many
areas of a company's operations, far beyond the
IT department. In fact, any successful
approaches will have to involve the auditing
staff: proof of process is at the core of these
regulations and that's what auditors are good at.
Of course, any viable solution will need the
backing of senior management, if only to make
sure that sufficient funding is available.
|
|
|
The obvious concern, especially with all the
media hype associated with the compliance
issue, is, of course, to meet legal and industry
sector requirements.
But a more immediate worry can be the need to
satisfy shareholders, particularly institutional
investors, who want to see that the issue is being
tackled - even if completion of all relevant
projects is some way off.
|
|
|
A broader objective for network security staff is
a better understanding of the company's
networks and the traffic that they carry. This is a
natural outcome of the analysis effort that
compliance requires.
Another aspect of this is better change and audit
management procedures, necessary to maintain
any compliance requirements that have been
met.
All in all, it is not unreasonable to expect a more
secure network to be among the results of the
exercise.
|
|
| Being Nice to Compliance Teams |
|
|
|
Network security managers should work with,
not against, compliance teams - if only because
they have significant budgets. Many sources
indicate that compliance concerns are of
themselves increasing IT expenditure.
They also have management buy-in and, for the
moment anyway, can achieve changes that have
previously proved impossible.
At the risk of oversimplifying, they can solve
your security problems with their budget!
|
|
|
Look for benefits beyond the narrow dictates of
compliance itself. Rather like the fuss over Year
2000, this is a good opportunity to sort out
issues that have been around for a long time but
have not risen far enough up the priority list to
get any real resources.
Get management back on side by showing the
benefit of any spending. Effort going into
compliance projects should be visible and
should be presented in a positive light. After all,
the best compliance solutions provide a real
return on investment.
Use compliance to solve your underlying
security issues: they really are two sides of the
same coin.
By the way, two final things to know about
Sarbanes-Oxley. Senator Sarbanes' wife was
born in Brighton, which is quite comforting in a
strange sort of way for those of us in the UK.
But Congressman Oxley was an FBI special
agent before entering politics, which perhaps
isn't so cheery.
|
|
