Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, December 22, 2006

Financial Institutions Face Tight Compliance Requirements in 2007

In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls.  Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.  These laws include both proactive components (having an information security policy, implementing access control technology) and reactive components (disclosure of security breaches).

IT security needs to understand the meaning of legal terms such as material weakness, and translate them into actionable policies.

For the past ten years, governments and industry groups have enacted and published regulations in an effort to curb corporate financial malfeasance, identity theft and inappropriate access to personal data.  Added to the challenge is that IT environments are constantly changing and new regulations are being added to the compliance mix.

In Congress alone, there have been 25 bills focusing on cybersecurity, 130 bills focusing on the security of personal information, 57 bills focusing on information security, and 12 bills focusing on data security.  In addition, most states have enacted laws modeled after California’s data privacy law, which mandates disclosure of any security breach involving personal information.  This requires the development of authentication mechanisms that go well beyond simple passwords in order to establish a trusted identity for individuals within an organization.

Posted on 12/22