Editor's Note: Migrating HP 3000 sites must be responsible for security in more extended detail, once they move operations onto open enterprise environments. In the second of a series of articles, CISSP security expert Steven Hardwick of Oxygen Finance outlines how security regulations, agreed upon by the industry, help the secure IT environment.
By Steven Hardwick
Why do we need security regulations which relate to IT anyway? Many IT professionals believe compliance is way too complicated. Or that it costs a lot of time and money that could be better spent. For example, the HP 3000 might have better, OS-level security for credit card processing that flows through MPE servers (although that level of protection is available through open source solutions.)
If only the data would back up the IT pro's desire to disregard compliance. The latest Verizon Data Breach Investigations report should dispel the myth that security is simply a function of the IT department getting firewall configurations up to date. The 2013 report shows attacks varied from hacking, to social engineering and physical attacks. Physical, technological and administrative security controls were breached to make the attacks possible. In many cases, multiple controls were compromised to breach the organizations infrastructure. But a third of IT pros say security is too hard to implement (click on the graphic for details.)
Why do we need regulations? It boils down to the two distinct challenges with security: a legal definition of malicious behavior, and a difficult to quantify return on investment. First, to address the legal position of defining a malicious act may not be that simple.
Theft in the information world can involve merely taking a copy of the data. The original data may still be in the possession of the owner. To be able to prove theft in this case, a new definition of “illegal copying” has to be defined. In the information world, the copy or the operation that created it has to be detected. It is now a lot more difficult to define information theft as the concept of copying now has to be legally defined.
To illustrate the legal difficulties, consider this challenge. If a neighbor sees a unprotected wireless network router and is given an IP address by the DHCP server, does it constitute the owner's permission to have Internet access?
Compliance standards establish a set of security controls that are not concerned with legal definitions of malicious activity. This allows an organization to stem the threat of breaches without relying on a legal framework to enforce it. A good example is the Payment Creditcard Industry Data Security Standards (PCI-DSS or just PCI). This compliance standard is solely enforced by the credit card community. As such it can quickly adapt to define requirements that meet mitigating new threats.
I was once involved in a HIPAA audit. After the presenting the audit results to the CIO, the next question was remediation. The CIO’s response was, “After consulting with legal council, we are taking no action to mitigate the deficiencies found in the audit. They have informed us it would be cheaper to litigate than spend funds on security changes.”
That was in the early days of HIPAA. in those days, that regulation lacked teeth. To rectify this, the US government passed the Health Information Technology for Economic and Clinical Health (HITECH) Act for enforcement. It defines what's a breach of information. plus the responses that organizations must take after a breach. Very quickly, the cost of not putting security controls in place changed, especially due to the enforcement defined by the act.
Why are there so many regulations and laws?
With PCI and HITECH, why are even two needed? Well, the two standards were developed by different specialists, and so the laws are different. PCI's goal is to prevent the misuse of Credit Card information. HITECH/HIPAA is focused on medical information.
To additionally diversify standards, the groups focused only on the threats and impact of breaches in their particular industry. For example, compromised credit card data can be used globally, whereas medical data tends to be country specific. PCI is a global standard, whereas HITECH is only US based.
Standards tend to be focused on the type of information they protect. For example, although a credit card number may be used in conjunction with a medical record for payment of services, HITECH does not define the card as part of the information that needs to be protected.
Organizations that have multiple data sets will fall under multiple regulations and standards. A public Insurance company that uses credit card payments for medical services would, at a minimum, have to comply to PCI (Credit Card data), HITECH (Medical data) and Sarbanes Oxley Act, or SOX, (Public Financial data).
What other challenges are there?
There is hope. In many cases the standard or regulation will give a list of compliance goals. Applying the goal will depend on how the controlled information is used in within the business. Some standards will give guidance on how to implement security controls to comply with the goals.
For exaple, PCI has requirements around penetration testing for network interfaces. Other standards rely on an existing security framework. (This security framework is a definition of security controls for an environment.) They framework is designed for general protection of information -- and not focused on a specific data set.
A good example is that the Sarbanes Oxley Act (SOX) which mandates security controls. Control Objectives for Information and Related Technology (COBIT) is a security framework that is commonly used to assess SOX compliance.