WASHINGTON (11/07/2003) - The need to comply with an array of complex data laws will dominate the security agenda in 2004, according to attendees at the Computer Security Institute conference here this week.
As in previous years, IT security managers expect to spend considerable time and resources fending off destructive intrusions and insider threats.
But the most daunting challenge will be dealing with laws such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, California's SB 1386 privacy law and international data integrity and privacy laws, they said. As a result, the emphasis will be on issues such as policy management and enforcement, benchmarking against standards, incident response, forensics and monitoring for insider threats.
"As far as my business and industry in general goes, the single biggest driver is compliance with all the new data and privacy laws," said Michael Kamens, global network security manager at Thermo Electron Corp., a US$2 billion manufacturer of scientific equipment in Waltham, Mass.
As a publicly traded U.S. manufacturer with multinational operations, Thermo has to deal with compliance issues ranging from Sarbanes-Oxley to a Chinese encryption requirement that involves filling out forms in Mandarin. "It is requiring me to quadruple the effort that I have to put in on a daily basis to ensure that my company is in compliance and that I'm safeguarding its good name," Kamens said.
United Government Services LLC, a Milwaukee-based provider of administrative and consulting services for publicly funded health care systems, is governed by 400 security requirements issued by the Centers for Medicare and Medicaid Services. Meeting all of them will be a "very large driver" of security efforts next year, said systems security officer Todd Fitzgerald.
For the most part, the efforts will focus not on technology improvements but on implementing security policies and management processes to ensure regulatory compliance. "It's a process that will involve spending a lot more time working with management and end users, educating them on what the security risks are," Fitzgerald said.
Third-party connectivity issues are a priority at St. Jude Medical Inc. in St. Paul, Minn.
As a $1.6 billion manufacturer of cardiovascular equipment, with 15 facilities worldwide and customers in 120 countries, St. Jude has to make sure it avoids liability for security breaches involving its supply chain or business partners, said David Stacey, global IT security director.
"Regulation is a massive issue, and most organizations are clearly not ready to deal with the myriad issues and details involved," said Ben Rothke, a senior security consultant at Thrupoint Inc., a management services company in New York.
Complying with data regulations will mean turning traditional notions of the IT security function and its role within organizations upside down, said Terri Curran, director of research at the Center for Digital Forensic Studies Ltd. in Auburn Hills, Mich.
"CSOs in the near future are going to have to get more creative about things like privacy, risk acceptance, forensics, industry-related regulations, and state and federal laws that are really going to affect them," Curran said.
IT Obligations Unclear Under California Privacy Law
Four months after new California privacy rules went into effect, more questions than answers have surfaced about what the law requires of IT organizations, according to legal and security experts. And answers are unlikely until at least a few cases are prosecuted and there's legal precedent that can be followed, they added.
Senate Bill 1386, which went into effect July 1, requires companies to inform California customers of security breaches involving the compromise of their names in combination with their Social Security, driver's license or credit card numbers.
But the ambiguous wording of the law leaves it open to a wide range of interpretations, said Erik Laykin, president of Online Security Inc. in Los Angeles.
The law is unclear on several points, agreed Charlene Brownlee, an attorney at Fulbright & Jaworski LLC in Austin. For instance, it's not specific about when disclosure is required from an IT perspective, Brownlee said. Under SB 1386, disclosure is mandated when "it is reasonably believed" that personal information has been acquired by an unauthorized person, she said.
But "even if a network is hacked, it's not always apparent what data was compromised," said Brownlee. The legislation also calls for "prompt" communication of such breaches without specifying how soon customers need to be contacted, she said.
Similarly, while the law exempts companies that have encrypted their data, it doesn't specify what level of encryption is good enough, or whether both stored data and data in transit have to be encrypted, users said.
"There's a lot of concern all over the board, because there haven't been any cases that define the expectations for this law," said Erin Kenneally, a forensic analyst at the University of California's San Diego Supercomputer Center. "Fear, uncertainty and doubt often rule the day in situations where there's not a lot of guidance."
Both the university and the supercomputer center have taken steps to minimize exposure under the law. In some cases, data is being encrypted; in others, personally identifiable data is being replaced with unique identifiers.
"What people have to do is to interpret the law to what seems reasonable for your environment," said Todd Fitzgerald, a systems security officer at United Government Services.
"You've got to see what the intent of the requirement is and try to satisfy that to the (extent possible)," he said. "There has to be some judgment that you are putting into that."