How regulation should — and shouldn’t — influence cybsecurity policy

As technology has advanced during the past few decades, cybersecurity policies have progressed
as well, and enterprises are generally safer now from malware and outside attack than ever before.
But the stronger defensive technologies and internal security policies get, the more sophisticated
cybercriminals become.

Most of us are familiar with the recent, high-profile data breaches affecting companies such as
, EMC Corp.’s RSA
Security division
and, most recently, Global
Payments Inc.
These hacks cost companies hundreds of millions of dollars every year.
Unfortunately, there’s still no way to completely prevent attacks or totally insulate your business
from a damaging data breach. But there are cybersecurity
policy actions you can take to improve your chances. The first thing to understand? Adhering to compliance

    When you become a member, my editorial team will provide you with expert insight for creating and maintaining a manageable compliance infrastructure.  From targeted tips to webcasts and discussion forums, we have you covered.

    Scot Petersen, Editorial Director,

won’t really protect you.

For example, if you read through the Federal
Information Security Management Act
of 2002 — the government’s own information
security regulation
— you won’t find anything specific about what federal agencies must do to
protect their information. It simply states that certain commonsense structures, such as policies,
procedures and IT controls, should be in place.

What the regulation does do, however, is prevent overly negligent behavior, with penalties and
fines for crossing a very low threshold. You’ll find similar elements within the Health
Information Portability and Accountability Act (HIPAA
), the Gramm-Leach-Bliley Act and most
other privacy-related
issued by the government.

Knowing risks is a key ingredient for building a solid internal security policy.

The good news is that compliance with these regulations is fairly easy. The bad news? They’re
nowhere near sufficient as comprehensive data
security guidelines
. Most of the big companies involved in recent high-profile data breaches
were in compliance with government regulations. Heartland
Payment Systems Inc.
didn’t pay over $100 million in penalties and fines to the government
because they failed to comply with regulations. They paid damages to credit card companies like
Visa and MasterCard because they were hacked. All the while, they were given a clean bill of health
by Payment Card
data security compliance auditors.

A better strategy is to build a solid, prevention-focused internal
security policy
, because prevention addresses risk proactively. For instance, a common
recommendation for dealing with cyberattacks is to build a data
action plan to contain damage after a breach is discovered. This is reasonable advice,
but if you’re at the point where the plan must go into action, the breach has already occurred.
It’s far better to never have the data breach at all.

Building an internal IT security policy around prevention starts with asking the question, “What
would cause a data breach at my company?” It continues with, “How can I prevent these causes?” and,
finally, “How should my operation look if I were effectively preventing these causes?”

Build internal security around regulation

Although adhering to regulations does not provide adequate protection against cyberattacks, they
can be a good starting point, because regulations provide clues as to what your actual risks are.
is a key ingredient for building a solid internal security policy. To uncover
, start by examining a piece of the regulation and asking, “What risk (i.e. uncertain
event) is this regulation trying to control?”

For example, HIPAA’s technical security regulations state that data involving protected health
(PHI) must be secured from intrusion. It goes on to talk about encryption for
network transmission. But in a closed system with proper access control, encryption is optional.
What risk are we trying to prevent? It’s an unauthorized person accessing private data, regardless
of how they get it.

If we focus on the real risk of an unauthorized person accessing private data, we can start to
build an internal security
around that risk. One factor to consider is the medium on which private data resides
(e.g., hard drive, flash drive, CD-ROM). Regardless of physical access to the media, if the data is
not usable, then it’s not accessible. One preventive control is to use encrypted
media with tightly controlled passkeys distributed only to authorized personnel. This could be the
beginning of your new internal security policy: always use encrypted
when PHI is involved.

More on data security

security and compliance lessons from a credit card breach

past efforts, new cybersecurity legislation could get complicated

Notice how we arrived at this policy through a specific risk, and how it’s different from the
original regulation, which seems to be a little lax about encrypted hard drives. If BlueCross
BlueShield of Tennessee had gone through this process, they probably would not have had 57
unencrypted hard drives with PHI data stolen from their facility, and they also probably would not
have had to pay out $1.5 million to the Department of
Health and Human Services
for their data breach.

Data breaches will continue regardless of what measures companies take — cybercriminals always
stay at least one step ahead of the cybersecurity companies – but, like most criminals, they
usually pick their easiest targets. The individuals that hacked Heartland Payment Systems didn’t
pierce their firewall with sophisticated algorithms reserved for the super-intelligent — they
initially tunneled in using a simple SQL

Even if you keep your security gate high by maintaining good internal policy, you can still be
hacked. But why would cybercriminals prey on those companies when there are easier targets out
there? Remember: The best data breach is the one that never happens.

John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management
consultancy. Write to him at
[email protected].

This was first published in May 2012

Article source:


  1. No comments yet.
(will not be published)