Whether or not people take heed, compliance issues are certainly coming to the forefront in most analyses of the latest WikiLeaks flap. But in most of these analyses, it is unmistakable how ineffective technology was at enforcing compliance.
Consider this: There is an abundance of compliance requirements, including regulation for credit card holders (FCRA), for merchants (PCI DSS), for public entities (Sarbanes-Oxley), for privacy (HIPAA/HHS) and for children (COPPA), as well as regulations for insurance, securities trading, telecom and many more.
Most, if not all, of these requirements rely on technology to enforce compliance. WikiLeaks teaches us that it is the human factor and not technology that leads to the most damaging of breaches. All it takes is one disgruntled employee to destroy the security around intellectual property, private data or corporate secrets. But how can one build technology to prevent that?
There is no simple answer. Perhaps the only way to handle these situations is with the threat of severe penalties, and therein lays the secret to compliance technology. The enforcement of severe penalties requires incontrovertible evidence. In this particular case, technology that monitors activity and audit usage can become the key to plugging leaks.
If users are properly educated on the implications and penalties involved in disseminating unauthorized information, and are informed that access is tracked in numerous ways, perhaps technology can prevent the issues now plaguing the U.S. Defense and State Departments.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.]]>
Will the proposed national cybersecurity bill give the government too much control over the Internet? Will this be the year that most companies get serious about formulating comprehensive e-discovery programs that properly harness the power of social media tools? Will proposed online consumer protection efforts, such as the recent “Do Not Track” option outlined by the FTC, result in new standards for the industry? Which new technologies do you think have the potential to change IT compliance as we know it?
So after you have spent some quality time with your crystal ball, let us know what you think by emailing Executive Editor Ed Scannell at firstname.lastname@example.org or me, Associate Editor Ben Cole, at email@example.com. We’ll incorporate these ideas, along with our own humble opinions, in an upcoming article next month. We will also use some of your ideas to develop stories that will be included in our 2011 SearchCompliance.com editorial calendar.]]>
Mark Green, senior special counsel at the Division of Corporate Finance, described the issues around noncompliance this way: “As long as someone has an outstanding posting or submission of interactive dating, that entity is ineligible for short posting.” Green added that as soon as interactive filings are submitted or posted as XBRL, a company will once again be eligible for short-form posting.
Green said that short-term hardship exemptions of six business days are possible through application, adding that third-party involvement is not required for assurance or its preparation.
More information on the seminar can be found at XBRL.SEC.gov. An archive of the XBRL Public Education Seminar webcast is available (.WMV).
The instruction to use XBRL for business filings goes back to 2008, when the SEC proposed the use of the format. The SEC‘s mandate to use XBRL initially applied only to the nation’s 50 largest companies in 2009. Companies in the next group must post XBRL filings by June 15, Green said. Tagging of mutual funds will start in 2011.
In each case, companies are required to send XBRL filings to the SEC and post them to their corporate websites, said Joel Levine, assistant director of the Office for Interactive Disclosure. Levine said that technical and taxonomy issues prevent the SEC from accepting early submissions for IFRS. “There is no requirement that interactive data appear in identical format to the traditional format of financial statements,” said Levine.
As senior news writer Linda Tucci reported in January, XBRL financial reporting has been a hard sell. The SEC is encouraging companies subject to XBRL compliance to contact the Office of Interactive Disclosure with questions about compliance. XBRL reporting may not just be for the SEC anymore, but businesses have been slow to adopt it.
Slides from the SEC’s seminar on XBRL compliance are embedded below:
[kml_flashembed movie="http://d1.scribdassets.com/ScribdViewer.swf?document_id=28986246&access_key=key-2htkx7j1dnbwi3ppdk9i" width="600" height="450" wmode="transparent" /]]]>
As he points out on his blog, however, state and federal regulations are lagging behind in addressing Web application security, even though many enterprises are increasingly being targeted online. While the Massachusetts data protection law addresses many security controls, as Grossman observes in his blog, there’s nothing in the regulation that specifically addresses the area .
That doesn’t mean that an enterprise might not be held accountable for a data breach that results from a Web application exploit. In the presentation below, which Grossman shared at the RSA Conference, he offers his top 10 Web application security hacks — and some ideas on how to address them.
In this podcast, SearchCompliance.com associate editor Alexander B. Howard interviews Christofer Hoff, director of cloud and virtualization solutions at Cisco Systems, and one of Cloud Audit’s organizers. Prior to his work at Cisco, he was Unisys Corp.’s systems and technology division’s chief security architect. Hoff continues to participate in the Cloud Security Alliance. You can find Hoff’s blog at Rationalsurvivability.com/blog and follow him on Twitter as @Beaker.
Hoff says that forming A6 came out of the need for enterprise security professionals to have better tools for confirming security and cloud computing compliance at providers of these services.
When you listen to this podcast, you’ll learn:
• What Cloud Audit is.
• What problems A6 could solve for CISOs and CIOs faced with ensuring cloud computing compliance challenges.
• How Cloud Audit would map to compliance, regulatory, service-level, configuration, security and assurance frameworks, or third-party trust brokers.
For more information, visit CloudAudit.org, the relevant Google Group or the Cloud Audit code base at Google Code. Hoff has also collected recent press coverage and other information about A6 at his blog.
On Monday, Yahoo launched a new online privacy tool that, in theory, allows users to gain more insight into the data that the media company has gathered about their interests. According to the press release, the tool provides users with the ability to “assert greater control over their online experience,” providing Yahoo’s “educated guesses about their interests” and granular controls for those users to opt out of those categories or out of interest-based advertising entirely.
The “Ad Interest Manager” was announced and released in beta on the same day the Federal Trade Commission held its first roundtable on privacy in Washington, D.C. The privacy workshop agenda (PDF) for the FTC privacy roundtable includes academics, advocates and representatives from media, data mining, software and analytics companies.
This introduction of an online privacy tool for consumers by Yahoo follows the addition of an online privacy dashboard from Google last month and the July release of self-regulatory online privacy principles for the use and collection of behavioral data for Internet advertising.
Whether such efforts are enough to preemptively address attention from the FTC will be an open question in 2010. As FTC chairman Jon Leibowitz stated earlier in the year, this is “industry’s last chance to get its act together on behavioral targeting.”
Capitalizing on this regulatory focus, the Center for Democracy & Technology (CDT) also began a consumer online privacy campaign last week called “Take Back Your Privacy.”
“All social media should have granular privacy controls,” said Leslie Harris, president and CEO of CDT. An important element of the CDT’s online privacy campaign effort includes the release of an online privacy Compliant Tool that allows people to register online privacy concerns with the FTC and share that action with connections with social media.
Harris, who was at the FTC’s privacy roundtable yesterday, says that next year will be “the first time there will be serious consideration of consumer privacy legislation in many years.”
According to the CDT’s Ari Schwartz, Rep. Richard Boucher has put forward an outline of a consumer privacy bill that will be a framework for action in January.
As Kara Swisher pointed out at CNET, the addition of this online privacy tool by Yahoo coincides with a “bigger backdrop” of “the pending regulatory approval of the massive search and advertising partnership between Yahoo and Microsoft. The two companies announced last week that they had completed the definitive agreement for the deal.”
As Swisher observed, “one of the key issues for regulators, of course, is the privacy implications of combining the search and online ad technologies of the No. 2 and No. 3 players.” Google, Yahoo and the online advertising industry as a whole will be watching carefully to see what FTC compliance and action from Congress will mean for all in the year ahead.
For insight into the way that the regulator sees the relationships here, review the FTC graphic below describing a user’s “personal data ecosystem.”
[Image source at FTC.gov. (PDF). For specific industry relationships, review these data flow charts. (PDF).]
As senior writer Linda Tucci recently reported, IT is increasingly turning to enterprise risk management as uncertainty in the macroeconomic climate continues. Even as some enterprises have held off on further investments in GRC software, she observed, “the more budgets tightened, the more imperative it became that both IT and the business target their biggest exposures and eliminate redundant controls and audits.” For instance, in some areas, like carbon compliance, specialized GRC software has the potential to help turn carbon footprint management into cost savings.
Given continued interest in the potential of GRC software, we published a new governance, risk and compliance FAQ yesterday. If you know of neutral, useful governance, risk and compliance resources online that should be added to the FAQ, please let us know in the comments or by sending an email to firstname.lastname@example.org. As we add more resources to SearchCompliance.com, you’ll be able to find them at our IT governance, risk and compliance topic page. Also, make sure to check in throughout the week here on the IT Knowledge Exchange, which features two GRC blogs: “Regulatory Compliance, Governance and Security,” by Charles Denyer, and “IT Governance, Risk, and Compliance,” by Robert E. Davis.
The diversity of stakeholders involved in IT compliance is reflected in the many compliance resources that are published each month across the TechTarget network of IT media. For instance, this month’s Storage Decisions Conference explored how storage managers must explain retention, email archiving and compliance.
At SearchOracle.com, there’s news about how Oracle updated Agile PLM for food and beverage compliance, allowing manufacturers to better analyze ingredients for safety.
At SearchFinancialSecurity.com, a new story explores full disk encryption, which is fast becoming a priority for laptop security in midmarket companies given increasing fears of data breaches. The article explains how to choose full disk encryption for laptop security, compliance.
Earlier this year, SearchNetworking.com ran “New PCI compliance rules ban WEP, tighten wireless LAN security.”
PCI DSS compliance
Since security and compliance are bound closely together, it should come as no surprise that SearchSecurity.com features new compliance resources regularly. That’s particularly true when it comes to PCI compliance.
Last week, site editor Rob Westervelt wrote “PCI virtualization SIG closer to proposing changes to standard.” Westervelt writes that the PCI Virtualization Special Interest Group, which has been studying virtualization for the payment card industry (PCI), is close to issuing guidance ways to maintain PCI DSS compliance when using virtualization.
For more on PCI, editorial director’s Kelley Damore feature about what PCI compliance really means in September’s issue of Information Security magazine has a plethora of useful links.
Elsewhere on SearchSecurity.com, Eric Holmquist offered guidance on strategies for using technology to enable automated compliance.
Given that schools are back in session, IT admins entrusted with securing the records of students may find security expert David Mortman’s explanation for how to prepare for a FERPA audit useful.
Mortman also provides useful advice on a PCI DSS requirement for monitoring and testing security, PCI DSS compliance: ensuring data integrity and understanding PCI DSS compliance requirements for log management.
And “across the pond,” SearchSecurity.uk.co wrote about new products that aim to streamline compliance efforts.
SearchSecurity.com also publishes compliance resources that serve the fast-moving healthcare field, including stories like “FTC extends breach notification to Web-based health repositories” and “HIPAA compliance manual: Training, audit and requirement checklist.”
Again, Mortman provides expert advice on this areas, including guidelines to create a HIPAA-compliant data center, HHS HIPAA guidance on encryption requirements and data destruction and information on writing a patient identifier policy to prevent common HIPAA violations.
We’ve been covering healthcare at SearchCompliance.com as well, along with our sister site, SearchCIO.com, where senior writer Linda Tucci recently wrote that health care security and HIPAA compliance are on deck for CIOs.
We published “HITECH changes the game, but HIT standards still on way” this morning, in fact, following on our FAQ on the HITECH Act’s impact on IT operations and a tip about when is a data breach under HITECH is really ‘discovered.’
Here’s hoping you find these compliance resources useful in your own efforts. If you have other websites you regularly visit to find compliance resources to help you meet regulatory mandates, please let us know in the comments.
When you listen to the podcast, you’ll hear Titus’ views on:
Note: Our colleague Mike Mimoso also interviewed Titus about the Obama cybersecurity plan in June for Security Wire Weekly, when the strategy was first released. The episode also features security luminary Howard Schmidt and Paul Kocher, chief scientist of Cryptography Research.
Specifically, Anthony stated that, “We know right now that there’s no widespread technology for encrypting mobile devices, but we know it’s there for laptops.”
Given that the regulation’s language includes a requirement for encryption where “technically feasible,” the issue demanded clarification. I contacted Secretariat CIO Gerry Young, who was involved in drafting the original regulation. He offered the following guidance on mobile encryption:
“This just belies unfamiliarity with the current state of encryption. Even a cursory scan will show that technologies like Snapcell, Navastream, AlertBoot, SecurStar PhoneCrypt, Endoacustica and Babylon nG have carried cell phone encryption to fairly sophisticated stages.
“Encryption for cellular phones has evolved beyond even enterprise-class smartphones, and you are beginning to see robust offerings for 3G phones available at attractive price points.
“European companies like Navastream (Germany) are making inroads in U.S. markets to fill a clear void. This will help to drive competition, and push price points lower for the consumer.
“I would think that once there are free, open source encryption alternatives — along with a plethora of low-cost encryption vendors in the cellular market — that we would be ready to mandate cell phone encryption in the near future.”
In other words, encrypting mobile devices and smartphones remains a best practice, particularly where resident PII is present, but is not mandated for 201 CMR 17.00 compliance — yet.