IT Compliance Advisor

May 5, 2009  6:03 PM

A certified security professional is not a compliance guarantee

Scot Petersen Scot Petersen Profile: Scot Petersen

Compliance and security consultant and TechTarget contributor Kevin Beaver checked in about the Cybersecurity Act of 2009, aka the kill-switch bill.

He agrees with some other experts I’ve talked to about some key points in the proposed legislation that would mandate that only certified security professionals be allowed to work on critical cyber infrastructure.

  • Licenses and certifications may be OK, but new compliance regulations around security are not needed, considering all of the existing laws.
  • Compliance for compliance sake does not guarantee security.
  • In addition, the increased regulation of security professionals is spreading, with a few unintended consequences. As he wrote in a recent email:

    The same thing is being debated in the computer forensics field right now. Just like any other degree (i.e., M.D.), license (i.e., P.I. [private investigator], cybersecurity wizard, etc.), or certification (i.e., CISSP) — not a single one of them mean you’re all of a sudden going to know your stuff and provide quality services.

    What it’ll end up doing is limiting the amount of professionals in the field. The politicians will then have more “control.” But, the law of unintended consequences has shown time and again that, long term, this will likely serve to create nothing more than a monopoly consisting of substandard security professionals. Everyone suffers.

    Ironically, several government agencies are vying for control of cybersecurity, or rather not to control cybersecurity, as it is too big a job for one agency. By my count, four agencies — the Department of Defense, the National Security Agency, the Department of Homeland Security and the Commerce Department — are in the mix, and now we have the proposed White House cyber office that would be created under the Internet Communications Enhancement Act.

    May 5, 2009  12:37 PM

    Podcast: HITECH Act adds new compliance requirements, penalties

    GuyPardon Guy Pardon Profile: GuyPardon

    Rebecca HeroldThe Health Information Technology for Economic and Clinical Health (HITECH) Act, sometimes referred to as “HIPAA2,” introduces new compliance requirements, penalties and incentives for the adoption of electronic health records. In this podcast from, privacy expert Rebecca Herold talks with associate editor Alexander B. Howard about the HITECH Act and its implications for compliance and information security professionals.

    When you listen to the podcast, you’ll learn the following:

    • What is HITECH?
    • What is generally required by HITECH?
    • Who is affected by HITECH and its compliance requirements?
    • What is the role of information technology in HITECH?
    • What are the penalties for noncompliance in HITECH?
    • How does HITECH differ from HIPAA?
    • How will HITECH change electronic health care and the jobs of health care CIOs?

    Herold is an information privacy, security and compliance consultant, and a frequent contributor to You can read her blog at and follow her on Twitter at @PrivacyProf.

    Herold’s recent work at includes:

    Reblog this post [with Zemanta]

    May 4, 2009  1:27 PM

    Prepare for compliance auditors: Tighten access control

    SarahCortes Sarah Cortes Profile: SarahCortes
    The US Open
    Image via Wikipedia

    You’re a busy IT operations manager. You run a tight ship, including security operations. But are some of your basic controls as consistent as you think?

    It’s worth figuring that out before the compliance auditors arrive — or ahead of an ugly security breach that lands your company in the headlines and compromises your clients or your company’s future.

    Terminating access includes more challenges and complexities than you might assume for this seemingly simple task. It’s one of your control basics, like the fundamentals for a stroke in your squash or tennis game. Are your compliance fundamentals solid?

    For basic access control, you depend on HR to provide lists of terminated employees. If their information is not complete, accurate or timely, will people say, “HR has a hole in security?” Or will it reflect squarely on you?

    You probably already know the answer to that question! So help them out: review their workflow and report preparation procedures and capabilities.

    When you take a closer look at that HR report, check to see if it includes three commonly overlooked categories: consultants, part-time workers or employees transferred but not terminated.

    Without these, you cannot do your job properly. And sooner or later, a breach will develop from one of these categories that can put your whole company at risk.

    That’s not the only gap you need to review, unfortunately, as HR often overlooks two other reports:  all terminated employees (prior 12 months) and off-cycle terminations.

    So HR does terminations Wednesday morning to catch people by surprise. What about the one they did over the weekend because the person was on vacation? If someone is terminated on Friday night at 6 p.m., your staff will likely not get a report about this until Monday evening at the earliest — probably Thursday, more likely, when the regular weekly report comes in.

    Sure, security operations staff terminates access every day in a large organization. But have you double-checked that no one fell through the cracks? Your staff, after all, are human. It’s easy to skip a line or overlook a report. Unless you are running this reconciliation regularly, you may be in for some surprises.

    Surprise yourself and find these mistakes independently, rather than letting the compliance auditors find them.

    Believe me, they will.

    Take care of these complexities, and your compliance “game fundamentals” will be tight for the big match when the auditors come around to play.

    Reblog this post [with Zemanta]

    May 1, 2009  4:18 PM

    Cybersecurity trends: Security and compliance aren’t the same thing

    GuyPardon Guy Pardon Profile: GuyPardon

    When I first blogged about my experience at RSA Conference 2009, I noted that cyberwar, compliance, virtualization and cloud security were key trends at RSA. A week later, I still see that as an accurate statement, but it’s one that fails to capture a shift in the larger context of information security in 2009.

    It’s not enough to be compliant anymore; organizations must actually be secure.

    Security and compliance officers understand the distinction, of course, but guidance is now coming down from top scientists and, if recent legislation in Washington passes, directly from the federal government. Just read “ICE Act would restructure cybersecurity rule, create White House post” and “Kill-switch bill would add certification, licensing burdens” to see what may be coming down the pike.

    I gained perspective on this trend towards actual security as opposed to rubber-stamped compliance throughout RSA. Speakers, panel sessions, analysts and informal conversations with security practitioners all reiterated that security and compliance aren’t he same thing.

    Alan Paller, director of research at SANS, said he sees the shift from compliance to actual security as long overdue — and driven directly by the Department of Defense. As Paller sees it, the “20 Critical Controls,” or consensus audit guidelines (CAG), are the new gold standard for security and compliance for federal agencies, defense contractors and all other parts of the nation’s critical infrastructure.

    The Commission on Cybersecurity for the 44th Presidency, headquarted at the Center for Strategic and International Studies, released a cybersecurity report that supports and extends these controls. Former USAF CIO John Gilligan has been driving discussion and implementation of these controls through the national defense infrastructure. As Paller noted in an interview, it’s key to know what metrics matter. Without guidance, “people will dashboard all the wrong data. It’s like keeping a garage clean but not bothering to lock the door.” Paller says that the SANS Institute is shifting its training for security and compliance professionals to “the controls that matter” under CAG, focusing on actual security. That means hardening software, hardware and infrastructure after taking inventory of all assets, as mandated by NERC compliance requirements. “Government agencies must be required to comply with a set of prioritized controls that actually stop attacks.”

    Peter Firstbrook, a Gartner analyst for security, said he sees considerable frustration regarding the mismatch between security and compliance on the part of enterprise executives in the private sector. The trends that he sees are towards “minimizing the attack surface,” where security isn’t addressed with patches nor compliance with checklists. Organizations are doing due diligence with regards to gap analysis and taking inventory of both proprietary and protected data. That’s key, since Firstbrook has observed that malware is getting more and more intelligent. “There’s a huge infection of targeted attacks that disable endpoint security.”

    Firstbrook also extended a biological metaphor to the security challenges faced by organizations in the current landscape of shifting threats: “Patches are like a visit to the ER. The key is to understand AV, software, hardware, viruses and worms as part of an ecosystem of threats and to engage in preventive ‘medicine’ beforehand. Conficker was avoidable.”

    Reblog this post [with Zemanta]

    May 1, 2009  3:34 PM

    RSA Conference Advisory Board highlights cybersecurity threats, trends

    GuyPardon Guy Pardon Profile: GuyPardon
    RFC2196 - Site Se...

    A lunchtime roundtable with the Advisory Board for last week’s RSA Conference 2009 offered forward-looking advice on information security trends and cybersecurity threats based on research and conference discussions. Asheem Chandna of Greylock Partners, Benjamin Jun of Cryptography Research, Tim Mather of RSA, Ari Juels of RSA Laboratories and Rich Mogull of Securosis enjoyed a spirited discussion with journalists from the BBC, USA Today and this author over a light lunch.

    Security in the cloud

    Cloud computing and trends in security dominated the roundtable, reflecting the overall focus of the conference. Juels said he thought the cryptographers’ panel, for instance, produced a more apt description for cloud computing: “swamp computing.” Swamp computing was coined by noted MIT computer science professor Ronald Rivest, speaking during the panel Juels moderated.

    Cloud computing sounds so sweet and wonderful and safe,” Juels said. “We should just be aware of the terminology — if we go around for a week calling it swamp computing, I think you might have the right mind-set.” Security issues in the cloud were top of mind everywhere.

    Both Mather and Juels said they see significant issues with both risk and responsibility. Juels cited research at the RSA Labs into the decoupling that takes place in cloud computing models. “Where does data reside? Where are the trust boundaries?” Risk still resides with the organization that collects that data and gives it to the cloud provider, often without confirmation of the requisite controls for access and audits.

    He also noted that RSA Labs has developed a technology to show where data has been moved across the cloud, addressing potential corruption issues, but issues of access and auditability remain. That’s going to be a headache for many companies, as Mogull noted, given the number of organizations that are already in the cloud and don’t know it. In fact, he said, 100% of the Fortune 500 are in the cloud on some level; are CIOs universally aware of their exposure?

    Other issues with cloud computing were top of mind as well, including standards and interoperability. The Open Cloud Platform, for instance, touted by Sun as a way to deal with vendor lock-in, simply won’t go anywhere given the vested business interests of the cloud providers, unless customers band together to demand accountability and standards.

    The gathering storm of RFID hacks

    Such standards aren’t just relevant in the cloud, however, as issues with RFID security held the roundtable’s attention for a while as well. As privacy experts know, new U.S. passports now contain RFID chips. The issue raised by Juels is that the chip in passports can be scanned and cloned. He noted that research at the University of Washington called into question assertions by the government of the security of such tags; under optimal conditions, RFID data could be read more than 100 feet away.

    Juels observed that there’s a design drift issue brewing: What happens when these tags are added to driver’s licenses under Real ID? If the technology isn’t implemented correctly, sensitive data could be exposed. These concerns aren’t academic; in the state of Washington, officials forgot to program the “kill pin” in distributed RFID chips, which could in turn allow third parties to disable the device at a point of sale or elsewhere if desired. (Neil Roiter, Senior Technology Editor at Information Security magazine,  conducted a separate Q&A with Juels at RSA, RFID tags may be easily hacked, where they discussed his research, advances in multifactor authentication, cloud computing security, and his first novel, Tetraktys, which was launched at the conference.)

    The so-called “Western Hemisphere Travel” card will have an RFID tag in it as well. RFID chips that are left exposed could leave travelers open to clandestine tracking. Such concerns are precisely why the RFID chips in U.S. passports are surrounded with a thin metal shield to prevent reading while closed. Jun said he’s concerned that mistakes in the way that RFID is being implemented and regulated by state and federal agencies may poison the industry. As Mogull observed, such mistakes have already created substantial headaches: MasterCard’s initial RFID deployment in credit cards left the devices actively emitting names and credit card numbers. The issue, as those at the roundtable seemed to agree, is that the cost and business use cases aren’t driving deployments that invest in the necessary protections, even with the Electronic Frontier Foundation acting as a watchdog.

    Even in the context of major cybersecurity threats, however, the roundtable expressed cautious optimism that the trend lines for 2009 may lead to positive changes in the information security industry. Jun said he thinks that IT budgets slashed amidst the recession are actually a welcome challenge for information security professionals. Buying cycles are lengthening, except when there’s a data breach. The enterprise CIO isn’t allowing new appliances to be purchased. Instead, CISOs are being asked to build security architectures in-house, do complete risk assessments and map out vulnerabilities. Security practitioners must then defend what has been done to auditors. As Jun sees it, “this is what CISSPs were trained to do – not install boxes.”

    Innovation may finally return to information security software

    Tough times and tight budgets also mean that innovation around information security on the part of vendors and CISOs alike is necessary. Chandna, a venture capitalist, said he sees improvements coming to both physical and logical security. The winner of the innovation award at RSA this year, in fact, was a company that combined the two. AlertEnterprise, based in Fremont, Calif., focuses on detecting and resolving blended threats to a computer network, the building itself or both. Chandna posited that such technologies would have been useful for detecting ongoing fraud at Satyam, where checks were being issued to phantom employees.

    Chandna said he also sees a clear need for innovation in Web security, a position echoed around the table and on the RSA Conference floor. Infection through Web apps and other Web 2.0 platforms is a cause of considerable concern for enterprise CISOs for the coming year. Given the long lines for the sessions on cybersecurity threats at RSA, Chandna’s concern regarding the growth of organized criminal networks online is matched by delegates.

    Takeaways from RSA 2009?

    Jun said he sees substantial concerns in the security community over the insider threats posed by the recession. Trade secrets and leaks aren’t likely to be publicized. CISOs have told him that they are “seeing an increase in access to customer files,” a trend that is likely to make data loss prevention a critical practice for the enterprise security officer in the months ahead.

    Chandna saw similar threats to data security, noting that many vendors have now appended compliance to description of their solutions. Mather agreed with these assessments, adding that there is the potential for a “National Cyber Leap Year” where the big vendors make major adjustments to the changes in threat environments. He said he believes that the combination of the recession, consumer awareness of data breaches and identity theft and the federal government “waking up” to massive cybersecurity vulnerabilities to critical infrastructure will combine to create a sea change in the industry. He sees the potential for unprecedented collaboration in information security, both in reporting, coordination and systems management.

    Given the pace of change that has already been set to date in 2009, those predictions may still hold water at year’s end.

    Reblog this post [with Zemanta]

    April 27, 2009  5:45 PM

    Kodak CISO on meeting today’s compliance challenges

    GuyPardon Guy Pardon Profile: GuyPardon

    In this IT Compliance Advisor podcast from, associate editor Alexander B. Howard interviews Bruce Jones, chief information security officer (CISO) at Eastman Kodak Co.

    Bruce Jones, CISO, Eastman Kodak Inc.Over the course of the wide-ranging interview, recorded on-site at RSA Conference 2009 in San Francisco, Jones discusses the challenges he faces as the CISO for a global multinational company. Listen to the podcast to learn:

    • What innovations he has introduced to meet today’s compliance challenges.
    • How he aligns risk, compliance and security at Kodak.
    • How Kodak approaches forming and following a compliance strategy.
    • What his biggest pain points are in meeting compliance requirements, and how he is addressing them.
    Reblog this post [with Zemanta]

    April 24, 2009  7:58 PM

    At RSA: Cyberwar, compliance, virtualization and cloud security

    GuyPardon Guy Pardon Profile: GuyPardon

    What’s been the buzz at the RSA Conference? Constant and loud, to be sure, but perhaps a dull roar compared with past years. Seasoned analysts, vendors and delegates all note that attendance is down, no doubt due to a decrease in travel budgets mandated by the recession. For those here, of course, the number of sessions, keynotes and peer-to-peer meetings meant it’s impossible to see and do everything.

    Even so, amidst the hubbub several trends emerged. As you’d expect at a security conference, vulnerabilities in software, hardware and infrastructure have gathered attention, especially for CISOs who are navigating the thicket of regulatory guidance emerging from Washington and statehouses.

    Everyone is looking for ways to use software to easy the burdens of compliance. As I’ll argue in a forthcoming article, however, there is an emerging sea change in the way that government agencies, defense contractors and enterprises are approaching compliance that is not rooted in the current suites of compliance software or frameworks.

    As my colleague Neil Roiter at reports, secure software development starts before coding begins. Experts here are emphasizing the importance of baking security into software from the beginning, especially for Web applications.

    The need for more effective security couldn’t have been made more clear when breaking news came out of The Wall Street Journal about a data breach at the U.S. Joint Strike Fighter program. When news that computer spies had breached the fighter-jet project filtered on to the floor, the NSA booth and the keynote from the director of the NSA, Lt. Gen. Keith Alexander, instantly gained mass attention. According to the story, the intruders copied and removed terabytes of data related to the design and electronics systems of the aircraft. As reported in the story, breaches also compromised the Air Force’s air-traffic-control system. The story follows on the reported penetration of the U.S. electrical grid.

    News that Russian and Chinese cyberspies have been probing critical U.S. infrastructure has forced the issue of cybersecurity to the forefront of conversation. Speculation is rampant in the security blogger community that leaks of the compromised systems are helping to build consensus behind the proposed cybersecurity bill before Congress, and in getting more federal dollars for the affected agencies.

    As Rob Westervelt reports, “a panel of experts from the Department of Defense, National Security Agency and the Department of Homeland Security agreed that drastic measures are needed to shore up defenses of critical infrastructure and ensure a plan is in place for critical communications in the event of a national emergency.” Read more about the U.S. government needs a plan to limit Web usage during a security crisis.

    Commentary around the data breach and the issues that the NSA chief identified has been swirling, online and off. Just track the #cyberwar hashtag on Twitter to get a sense of the flow.

    Security for cloud computing and in virtualized environments continues to be of great interest to attendees as well. The Cloud Security Alliance released a white paper identifying key best practices for secure adoption of cloud computing, many of which have sparked deep discussion in sessions and on the floor. Security for citizens is on the table as well, as panels discussing potential national privacy laws and the impact of new legislation (like the MA data protection law) has shown.

    What’s coming from Look for podcasts with Kodak’s CISO and other security professional and analysts; an interview with Alan Paller, director of research at SANS; a video with Verizon’s senior vice president of innovation and technology on the company’s data breach research; interviews with CA’s Dave Hansen and McAfee’s Kunz; and a feature on compliance in the cloud.

    Make sure to follow @ITCompliance (and, if you like, @digiphile) to get updates directly from the floor at RSA from the past week. As you can see below, there’s plenty of humor and fun to be found here as well. Peace, love and cybersecurity from San Franciso.

    Reblog this post [with Zemanta]

    April 23, 2009  2:08 PM

    IT spending, budget increases tied to compliance

    Scot Petersen Scot Petersen Profile: Scot Petersen

    The poor economy and recession has resulted in cutbacks just about everywhere, but apparently not in information security technology spending. That’s not necessarily good news, though, for those looking for a return on investment of their IT dollar: Much of the increase in IT spending around security is being tied to meeting regulatory compliance obligations, according to a recent report.

    The global study, “Economic downturn drives increased spending in IT security worldwide” [PDF download], by GMG Insights of Sherborn, Mass., and sponsored by CA, shows that the budgets of only 8% of the respondents are planning to spend less on security, while 42% anticipate an increase in spending. The increases are tied to increased internal threat management and regulatory compliance, the report said.

    Companies in the North America, EMEA (Europe, Middle East, Asia), and AsiaPac regions spend around 25% of their IT security budget on regulatory compliance. Most of those companies by a wide margin anticipate that new regulations will result in increased compliance spend: North America 81%, EMEA 79%, and AsiaPac 69%, according to the report.

    April 22, 2009  9:56 PM

    Cybersecurity is ‘a critical national interest,’ says Hathaway

    GuyPardon Guy Pardon Profile: GuyPardon

    “It is the fundamental responsibility of our government to secure cyberspace for its citizens and the world.”

    — Melissa Hathaway

    Melissa Hathaway’s keynote at RSA kicked off with the Mission Impossible theme. The acting director of cyberspace security will need it to summon all of Ethan Hunt’s ingenuity to master the task before her. You can watch the archived livestream of Hathaway’s keynote to the RSA Conference on Video is from the side and sound is suboptimal.) Alternately, watch a high-quality version of Hathaway’s keynote from RSA itself.

    Melissa Hathaway at RSA

    Notable quotes from Hathaway’s speech:

    “The president identified cybersecurity as one of the top priorities for his administration.”

    “Our global infrastructure is not secure enough nor resilient enough to support our current and future needs.”

    “Humor aside, the U.S. is at a crossroads. Cyberspace underpins almost every part of our nation’s critical infrastructure.”

    “The public and private sector interests are intertwined when it comes to cybersecurity.”

    As she finished her cybersecurity address, Hathaway cited Edgar Allen Poe, Ralph Waldo Emerson and Wallace Stegner’s Angle of Repose. Those references added an unusually literate tone to this highly technical conference.

    Reblog this post [with Zemanta]

    April 21, 2009  3:56 PM

    The future of compliance policy management

    Scot Petersen Scot Petersen Profile: Scot Petersen

    Compliance is not just “one thing” for businesses anymore. Compliance has become a broad subject like “finance” or “security,” with many sub-topics underneath that umbrella. The best strategy for the range of compliance policy management issues facing IT and business managers today is to take a risk-based approach, says compliance and security consultant Kevin Beaver. In this week’s edition of the IT Compliance Advisor podcast, find out where big and small businesses should be focusing their compliance management efforts.

    Forgot Password

    No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

    Your password has been sent to: