News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Eric Ogren's picture
Eric Ogren

Security Impact

More posts | Read bio

January 18, 2007 - 12:40 P.M.

Are all of these compliance regulations productive?

4 comments

One common theme I am hearing from many of the leading database security vendors and their customers is how little market demand there is for HIPAA and PCI compliance solutions. Even though these regulations are reasonably precise about security requirements, the lack of enforcement has led to the lack of investment. This is a good thing, as these specifications are malformed attempts to require available technologies that frequently are poorly aligned with business or consumer protection needs. For instance, PCI barely touches on loss of personally identifiable information, which a naïve analyst would think is its reason for existence in the first place.

It is very hard to write effective regulations. Our state and federal legislatures can learn from provisions of the only two effective regulations.

1. Executive accountability is the key provision of SOX. Having the chief executive of a publicly held company personally sign off on the controls and security of the company’s financial results is a powerful force. Executive commitment, not lip service, to security has had positive returns in keeping security aligned with IT and business needs.
2. Market accountability is the key provision of 1386. Requiring companies to disclose loss of personally identifiable information is a huge influence on corporate behavior. Accountability to the market, that is customers and prospects, goes right to the bottom line of businesses and drives investments to keep from appearing on the front page of the local newspaper.

When I see PCI or HIPAA programs, the motivating factor seems to be CYA tied to executive or market accountability. That is, if there is a breach, affected parties want to know that the organization took every reasonable precaution. That’s when compliance with specific sections of PCI or HIPAA comes in handy.

We are now on the threshold of more regulations. It is very clear that governments cannot mandate how organizations secure confidential information. The attacks and defense technologies just change too rapidly for any such regulations to be effective for long (like PCI requiring an IDS). New statutes for such things as data encryption or identity theft should use executive and market accountability as the enforcement hammers. Let the businesses adapt and innovate over time as threats and risks evolve. Anything else is doomed to be unproductive without improving security one iota.

What People Are Saying

Add new comment

hipaa has a use and is being

Submitted by Anonymous on June 10, 2007 - 6:58 P.M.

hipaa has a use and is being enforced. two people are in federal jail for violating the hipaa laws. they got 10 years each.

the purpose of hipaa is to protect against ID theft and misue. also, it impacts national security and fraud.

the thing about being a techi and not a lawyer is that the law is very complex and most techies have no clue about what they are for and do.

FYI...piedmont hospital is being audited under hipaa and private lawsuits will happen according to two courts one in NC and the other in UT.

there are a lot of good things associated with privacy and hipaa is attempting to do these things, and of course the business intersts don't want or like privacy they use all of our informaiotn to make money. duh....

don't bash good laws, try and support them.

Reply | Report this comment

One benefit that I see in

Submitted by Brian Contos on January 18, 2007 - 9:37 P.M.

One benefit that I see in compliance regulations is that for many organizations that don't have any idea about securing their business, it provides a starting point. Generally, even without regulatory compliance, IT Governance, which is a foundations for many regulations, is still a concern. ITG, is often built with NIST 800-53 controls and ISO:17799 for business relevance - often called ISO-over-NIST and offers some good building blocks.

However, beyond this, until more resources are spent on enforcing regulations, organizations won't be motivated to address them more aggressively. While we all know security doesn't equal compliance and all that - once the cost of not being compliant (legal fees, PR fees, reduced shareholder faith, decreased valuation, partner interpretation, lost customers and ultimately reduced revenue)is greater than the costs of being compliant, you'll see more compliant and hopefully more secure businesses. Until then - it's still the Wild West.

Reply | Report this comment

Hi Brian,

Submitted by Eric on January 19, 2007 - 10:40 A.M.

Hi Brian,

No question, if you need a good menu of security things to start your program with, specifications like PCI or the NIST series of recommendations are great places to start.

I think we are in agreement. It can be argued that the costs of non-compliance you listed in italics are derived from disclosure requirements - which I view as an effective means of market accountability (via business impact).

It is worth asking how much the government should force the commercial sector to do for security. We definitely needed regulations to protect personally identifiable information. I do feel however that some regulations attempt to over-control how companies run their business by telling them how they should be meeting requirements, and compliance lacks with those specs. For instance, I am not yet convinced that every organization must go through rigorous data classification exercises or deploy IDS boxes and Web application firewalls.

I spied a reference from CJ so I'll have more to say later this afternoon.

Eric

Reply | Report this comment

Brian is right about the

Submitted by Rob Lewis on January 19, 2007 - 10:36 A.M.

Brian is right about the eventual costs of being non-compliant When they do outweigh the costs of compliance, only then will corporations realize that protecting privacy will provide a competitive advantage. In the meantime, it is the easy thing over the right thing.

I would say Brian has one thing backwards and that compliance does not equal security. Security DOES equal compliance when it involves user access at the data/file level. This is what compliance is generally about, proving that access to data, and the use of that data, can not and has not taken place in an unauthorized manner.

Reply | Report this comment

Related Posts

Do Railhead right or don't deploy until it IS right
We have met the enemy, and he is us.
Google and DoubleClick, sittin' in a tree (and Magneto Boy)
Federal encryption standardization

Today's Top Stories

Microsoft vows to stymie hackers with next week's patches
Ubuntu's maker: Google's Chrome OS 'no slam dunk'
EMC gets Data Domain, now what?
Emulex rejects Broadcom's $925M revised buyout offer
VirtualBox 3.0: An easy way to mix and match operating systems
Facebook attracting more users with gray hair, wrinkles
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.