Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Eric Ogren

Security Impact

Are all of these compliance regulations productive?

4 comments

IT TOPICS:Business Intelligence, Government & Regulation, Security

One common theme I am hearing from many of the leading database security vendors and their customers is how little market demand there is for HIPAA and PCI compliance solutions. Even though these regulations are reasonably precise about security requirements, the lack of enforcement has led to the lack of investment. This is a good thing, as these specifications are malformed attempts to require available technologies that frequently are poorly aligned with business or consumer protection needs. For instance, PCI barely touches on loss of personally identifiable information, which a naïve analyst would think is its reason for existence in the first place.

It is very hard to write effective regulations. Our state and federal legislatures can learn from provisions of the only two effective regulations.

1. Executive accountability is the key provision of SOX. Having the chief executive of a publicly held company personally sign off on the controls and security of the company’s financial results is a powerful force. Executive commitment, not lip service, to security has had positive returns in keeping security aligned with IT and business needs.
2. Market accountability is the key provision of 1386. Requiring companies to disclose loss of personally identifiable information is a huge influence on corporate behavior. Accountability to the market, that is customers and prospects, goes right to the bottom line of businesses and drives investments to keep from appearing on the front page of the local newspaper.

When I see PCI or HIPAA programs, the motivating factor seems to be CYA tied to executive or market accountability. That is, if there is a breach, affected parties want to know that the organization took every reasonable precaution. That’s when compliance with specific sections of PCI or HIPAA comes in handy.

We are now on the threshold of more regulations. It is very clear that governments cannot mandate how organizations secure confidential information. The attacks and defense technologies just change too rapidly for any such regulations to be effective for long (like PCI requiring an IDS). New statutes for such things as data encryption or identity theft should use executive and market accountability as the enforcement hammers. Let the businesses adapt and innovate over time as threats and risks evolve. Anything else is doomed to be unproductive without improving security one iota.

Email this

Digg this

What People Are Saying

Add new comment

hipaa has a use and is being

Submitted by Anonymous on June 10, 2007 - 5:58 P.M.

hipaa has a use and is being enforced. two people are in federal jail for violating the hipaa laws. they got 10 years each.

the purpose of hipaa is to protect against ID theft and misue. also, it impacts national security and fraud.

the thing about being a techi and not a lawyer is that the law is very complex and most techies have no clue about what they are for and do.

FYI...piedmont hospital is being audited under hipaa and private lawsuits will happen according to two courts one in NC and the other in UT.

there are a lot of good things associated with privacy and hipaa is attempting to do these things, and of course the business intersts don't want or like privacy they use all of our informaiotn to make money. duh....

don't bash good laws, try and support them.

Reply | Report this comment

One benefit that I see in

Submitted by Brian Contos on January 18, 2007 - 8:37 P.M.

One benefit that I see in compliance regulations is that for many organizations that don't have any idea about securing their business, it provides a starting point. Generally, even without regulatory compliance, IT Governance, which is a foundations for many regulations, is still a concern. ITG, is often built with NIST 800-53 controls and ISO:17799 for business relevance - often called ISO-over-NIST and offers some good building blocks.

However, beyond this, until more resources are spent on enforcing regulations, organizations won't be motivated to address them more aggressively. While we all know security doesn't equal compliance and all that - once the cost of not being compliant (legal fees, PR fees, reduced shareholder faith, decreased valuation, partner interpretation, lost customers and ultimately reduced revenue)is greater than the costs of being compliant, you'll see more compliant and hopefully more secure businesses. Until then - it's still the Wild West.

Reply | Report this comment

Hi Brian,

Submitted by Eric on January 19, 2007 - 9:40 A.M.

Hi Brian,

No question, if you need a good menu of security things to start your program with, specifications like PCI or the NIST series of recommendations are great places to start.

I think we are in agreement. It can be argued that the costs of non-compliance you listed in italics are derived from disclosure requirements - which I view as an effective means of market accountability (via business impact).

It is worth asking how much the government should force the commercial sector to do for security. We definitely needed regulations to protect personally identifiable information. I do feel however that some regulations attempt to over-control how companies run their business by telling them how they should be meeting requirements, and compliance lacks with those specs. For instance, I am not yet convinced that every organization must go through rigorous data classification exercises or deploy IDS boxes and Web application firewalls.

I spied a reference from CJ so I'll have more to say later this afternoon.

Eric

Reply | Report this comment

Brian is right about the

Submitted by Rob Lewis on January 19, 2007 - 9:36 A.M.

Brian is right about the eventual costs of being non-compliant When they do outweigh the costs of compliance, only then will corporations realize that protecting privacy will provide a competitive advantage. In the meantime, it is the easy thing over the right thing.

I would say Brian has one thing backwards and that compliance does not equal security. Security DOES equal compliance when it involves user access at the data/file level. This is what compliance is generally about, proving that access to data, and the use of that data, can not and has not taken place in an unauthorized manner.

Reply | Report this comment

Do Railhead right or don't deploy until it IS right

We have met the enemy, and he is us.

Google and DoubleClick, sittin' in a tree (and Magneto Boy)

Federal encryption standardization

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

IDC Research Report: The Business Value of Consolidating on Energy-Efficient Servers
Download this Resource Now!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

HP Technology Guide for Scalable Business Solutions
Download This Resource Now!

Architecting Business Intelligence Applications for Change: The Open Solution
Register for this webcast today!

Clipper Group Report: HP Provides Enhanced Options for Data Center
Download this Resource Now!

Enterprise Data Governance: Bridging the Business-IT Gap
Register for this live webcast today!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Briefing - Analytics: The Art and Science of Better

Computerworld Briefing: The State of Data

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Eric Ogren's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Are all of these compliance regulations productive?

What People Are Saying

hipaa has a use and is being

One benefit that I see in

Hi Brian,

Brian is right about the

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Eric Ogren's Archive

IT Topics

Sponsored Links