If you believe that computer security is all about having the right tools and an expert staff, then you are mistaken. Never forget why you have computers in the first place – because of your business. Mikhail Utin will shed light on the corporate side of security by talking about laws, compliance and real life (full title of his talk is US experience – laws, compliance and real life – when everything seems right but does not work).
While information security can be improved in a number of ways, one powerful approach is continually overlooked by security researchers. This approach constitutes a collective effort by masses of computer users, where each individual has a very limited understanding of information security and is frequently forced to improve security by various laws and regulations. Pressure coming from both government side and cybercriminals affects small businesses capability of conducting business as usual. It is questionable whether in such situation adequate security level to protect information can be achieved at all.
Mikhail attempts to address this gap and tries to analyse current status of information security processes in masses based on the situation in the US, and to identify our ability to protect personal information through government regulatory affairs and regulations implementation. Bear in mind that the US has a specific form of government, laws and business organization. However, since information security and protection of personal information is a growing global concern, the hope is that this analysis will help international security community at large to avoid some pitfalls discussed during Mikhails talk at DeepSec 2011.
While the US has numerous laws protecting personal information, two of the regulations are most pertinent. They are the federal HIPAA/HITECH and state of Massachusetts MGL c.93H/201 CMR 17.00. This paper considers obstacles in achieving compliance with both regulations. In particular, the compliance process affects small and mid-size businesses. Those types of businesses, by and large, do not have sufficient resources to be compliant. The situation is made even more difficult by virtue of government not providing any help to start the compliance process. The second problem is that US government doesn’t take the appropriate measures to enforce the compliance. Authors consider degradation in security as a result of the deficiencies in the enforcement process. Such uncertain and grim security situation can be significantly improved if government and businesses worked together as a part of one process. Authors recommend certain measures for achieving a better security posture, including automation of compliance process phases.
So while it is easy to say compliance but it really is a long way from requirement to implementation, especially when on a low budget. It is well worth to consider the scenarios present by Mikhail in his talk. Auditors, administrators, CEOs and CIOs are welcome to join!