Security's even worse than you assumed http://news.com.com/2061-11203_3-5779868.html?part=rss&tag=5779868&subj=news
Jon Oltsik is a senior analyst at the Enterprise Strategy Group As a security industry insider, I fully support the efforts of Senators Arlen Specter (R-Pa.) and Patrick Leahy (D- Vt.) who introduced the Personal Data and Security Act into the 109th Congress on June 29. Not to be an alarmist, but the state of information security is far WORSE than most people think. I'm constantly speaking with major companies whose security infrastructure has more holes than Swiss cheese. Pretty scary when you realize that identity theft is a fast-growth industry because there is money to be made, it's easy to get away with, and the target is as vulnerable as shooting fish in a barrel (note: American colloquialism for very easy). With the admission of my sincere approval, I'd like to offer a bit of advice for the honorable Senators in question. Based on my knowledge of the business climate, security technology, and privacy legislation, I'd suggest that the Senate: 1. Balance the legislative stick with a tax break carrot. Companies continue to spend millions on Sarbanes-Oxley, HIPAA and loads of other altruistic government mandates. Yes, these provide long-term benefits, but Wall Street judges business performance on a quarterly basis. Give companies an incentive that offsets compliance costs and you can keep investors happy and American businesses competitive. 2. Operationalize legislation. I can't tell you guys on the Hill how much confusion remains over how to comply with regulations. No, this isn't a government responsibility but it would surely help if the feds could coordinate with NIST, CERT, the ISO or the SANS Institute (preferably all of these organizations) to map regulatory requirements to operational best practices. This would allow organizations to streamline compliance processes, lower compliance costs, and meet deadlines. 3. Minimize any cross-legislative confusion. The Personal Data and Security Act should be a superset of state and International privacy regulations. In other words, if an organization is in compliance with the mandates of this bill, it should then be in compliance with all other privacy legislation. In addition, make sure that the Specter/Leahy bill includes the reasonable and redundant pieces of legislation proposed by Senator Diane Feinstein (D- Ca.) and Charles Schumer (D-NY). Business and private organizations are sick of the parade of new compliance issues so it would be extremely helpful to eliminate any grandstanding and work together toward one comprehensive bill. 4. Include the encryption exclusion. This provision was part of the California legislation (SB 1386) but has been excluded from federal bills. This is a mistake. We'll all be long gone by the time someone can break a 128-bit 3DES or AES key through a brute force attack (i.e. using computing power to try every possible combination). This little exclusion not only enhances security but also provides another carrot to your constituents to invest in real security technology. 5. Clarify this whole "data broker" thing. The definition of data broker in the current bill is too broad; it needs to be fine-tuned to target Choicepoint-type organizations not charities and news organizations. The legislation must also tighten up who has access to what data as today's version creates a new threat (i.e. people can access their own information therefore if I steal your identity, I can get your data). 6. Define how compliance will be monitored. This is really important if you want to achieve the goals of this bill. In the healthcare industry for example, there isn't any teeth behind government HIPAA inspection. It's simply easier and cheaper to avoid compliance altogether and accept the low risk that you?ll be fined than to take action. This legislation will be a worthless exercise in public debate unless it addresses how the government will audit personal data security compliance and what it will do to non-compliant first offenders. Arlen and Pat, get these 6 points into your bill and legislative process and you'll accomplish your goals of protecting personal data and delivering benefits to your constituents. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
