Internet Security News (Related)
Language:English
Tag/Category:securitypronews news (Related)
Domain:www.securitypronews.com (Related)
Search securitypronews.com :
14th Nov 2006, 19:57 GMT
Do the new laws really help information security, and raise the general overall level of security or are they just things to follow along with when being audited. Most of us are familiar with Due Diligence and Due Care, in that companies do the best they can do with what they have depending on size, and the data that they need to protect. While many of the laws are customer centric, have they really made an impact on the information security business as a whole. That starts the great debate on the value of laws like SOX, HIPAA, and GLB as well as the adoption of ISO standards like 17799 and 27001. The thought on this is that corporations have had to invest in their information security programs, and have done so, in light of the very public personnel data losses over the last 2 years. While best practices and international standards give good ideas, they are not a one-size fits all answer, even though being compliant with those standards is also a hot ticket to have. Companies will use the standard as a baseline of things they need to be doing, then modify and adjust that baseline to meet their own particular business models. Most information security and business is dependent upon the kinds of data that they generate, and the amount of data that they generate. Most companies do have things in common, and that is where things like ISO 17799 and 27001 come in handy, it gives an excellent baseline for those items that companies do have in common. Laws like SOX, HIPAA, HB 1386 and others then take a more localized view of the company, SOX applies to best accounting and data management standards, while HIPAA works only with health care, while HB 1386 only works in California, and businesses doing business in California. The average mom and pop gas station supermarket will be barely impacted by these rules, while credit card processors, hospitals, and most major USA based businesses will work with SOX. The investments then to meet these standards or legal requirements have shoved a lot of money into information security. The round table survey of 2004 indicated that the average company of fewer than five billion dollars (which is probably the majority of companies in the USA) would need to spend an additional 6,285 audit hours, or just over 3 additional people just to manage the audit for SOX. They also indicate that a company will have to spend an additional 1.9 million dollars per year to maintain compliance with SOX. That money is indirectly being pumped into information security and auditing systems. HIPAA is much the same way, as all the other rules and laws. The economic impact is there for people to pay attention to; as well, the incentives are there for companies to spend money on information security. The penalties for non-compliance are well spelled out, but beyond auditing and controls like network intrusion systems, the additional side bonus of all this is the increase in interest in SIM (Security Information Management) systems because the data pulls are so huge in regards to working through the multiple audit trails. As well, mandatory reporting of events like in HB 1386 makes situational knowledge more important in day-to-day operations. The incidental expenditures have really propped up the major information security vendors, and provided a lot of opportunity for smaller vendors along the way. Nevertheless, there have been strains in the economic impacts of SOX and other legal issues on companies that do not have the resources to spend on compliance, but have to do so anyways. An excellent paper on this by Anindya Ghose and Uday Rajan found: "The Sarbanes-Oxley legislation is a mandate that is bringing new attention to IT security as a critical part of the risk management framework for the dual purposes of certifying internal controls and attesting to the accuracy of information. Regulatory compliance, security audits, and mandatory information disclosure about internal weaknesses can be very costly from a budget standpoint because internal resources need to be allocated away from critical functions such as innovation and product development into increased investments in technologies that facilitate compliance. We propose a theoretical framework towards analyzing the economic impact of government mandated information disclosure and internal audits on firm's investments in IT security, the optimal levels of industry wide production and the extent of market competition. Our analysis reveals that mandatory investments in regulatory compliance may have several unintended consequences such as reduction in optimal production quantities, decrease in the extent of market competition and an overall reduction in social welfare due to distortions in IT security and internal control investments. In particular, our results highlight that smaller sized firms are more severely affected than larger firms and this process may lead to a severe long term impact on the operations of both capital as well as product markets. Our results are in accordance with recent anecdotal and empirical evidence. (Ghose, Rajan, 2006) The process of compliance has lead to serious investments in information security infrastructure and technology. However, not necessarily in manning levels, skill levels (not many are familiar with SIM's), and other impactors upon compliance. The legal drivers have been great for helping security companies make money. However, have yet to fully show up in the personnel investments that are needed to adequately operate and maintain those systems. We have talked about a national accreditation for information security people much like doctors, or nurses or otherwise. ISO standards, NIST standards, and a host of other standards do set down minimal qualifications and requirements. Most job descriptions have the minimum requirements, but there is no way to really ascertain the quality of the people involved. My thoughts on this is that the next ISO or next federal law is going to be a minimum competency, aka CISSP, CISA, college degree, or even a state sponsored license program to ensure that quality standards for people are also maintained. This will add to the cost of employment overall, but also make people more accountable to a national standard to implement national level laws like SOX or HIPAA. The legal impacts on quality and spend have been felt at the hardware and infrastructure level. It will be interesting ot see if government will address spend on the educational side and make mandatory requirements for information security people as well. Comments Tag: security Add to Del.icio.us | Digg | Reddit | Furl Get all the updates in RSS:
View full story at www.securitypronews.com (Related) www.securitypronews.com
No comments:
Post a Comment