4
FEATURE Computer Fraud & Security June 2011 8 what each category means and which kinds of document fit into it. Also valuable to include here is a read- at-a-glance table of ticks and crosses, the aim being to show users in a very visual fashion whether, for example, various document types have to be shredded or can just be thrown in the wastepaper bin after use. Another simple way of ensur- ing that personnel stick to the brief is to design Microsoft Word and Excel tem- plates for a whole range of documents, from proposals to corporate presenta- tions, which include the relevant protec- tive marking in the footer. “If someone writes a proposal, they start by opening the relevant template and, because everything’s embedded, they know right away if the document is confidential or not,” says Wood. The value of education Ensuring that users keep to requirements is a matter of ongoing awareness training and education campaigns, both of which will be key to the success of the scheme. “It’s not just a case of having half an hour in a lecture room and saying ‘this is the new scheme, so use it’,” explains Gillespie. “You have to explain why it’s there, why it’s important and how they need to apply it and you have to tell them that on an ongoing basis.” “It’s not rocket science. It’s just about using common sense and taking the time and effort to do it properly” While marketing departments can be co-opted to help with such campaigns, workers must also be provided with a conduit for obtaining answers to any queries. Possible mechanisms here range from a FAQ on the corporate intranet to email addresses or telephone helplines that are routed directly to information security personnel. Document management systems can be used to both embed classifications into files and enforce them. And there are useful tools, such as those from Titus Labs. This software provides users with a pop-up dialogue box that includes clas- sification options when saving an email message for the first time. Once the programme is finally up and running, the final step is to create effective governance procedures, which include regular audits and spot checks, in order to ensure that things continue to remain on track. “The whole organisation has to stick to the classification scheme or there’s no point,” says Gillespie. “But it’s not rock- et science. It’s just about using common sense and taking the time and effort to do it properly.” About the author Cath Everett is a freelance journalist who has been writing about business and tech- nology issues since 1992. Her special areas of focus include information security, HR/ management and skills issues, marketing and high-end software. Going beyond the boundaries of compliance From many perspectives this is not an unreasonable approach: organisations could spend a lot of money buying all of the security products they can find and still not be bulletproof. And even if they achieve a high level of security, the economics of such actions simply do not make sense. Complying with recognised standards is a necessary step and in doing so, CIOs effectively ensure that they keep up with best practice. Or do they? In a recent research report commis- sioned by Thales and conducted by the Ponemon Institute, more than 500 audi- tors were surveyed, with roughly half representing internal IT security audit teams and half representing independent external audit companies and consultan- cies. 1 One of the initial findings was that only 32% said that the organisations they audit are proactive in managing privacy and data protection risks. The danger, however, is that this reactive, compliance-driven approach can leave organisations under-protected and con- stantly running to keep up. Despite the agreement among auditors that organisations are mostly focused on compliance, 60% of respondents agreed Jon Geater, Thales Adherence to compliance standards is critical for most organisations, and as a result these standards often have a heavy influence in information security decision-making. There are numerous reason for this, but most importantly, IT professionals are looking for guidance and direction, and where better to look than industry standards? Jon Geater

Going beyond the boundaries of compliance

Embed Size (px)

Citation preview

Page 1: Going beyond the boundaries of compliance

FEATURE

Computer Fraud & Security June 20118

what each category means and which kinds of document fit into it.

Also valuable to include here is a read-at-a-glance table of ticks and crosses, the aim being to show users in a very visual fashion whether, for example, various document types have to be shredded or can just be thrown in the wastepaper bin after use. Another simple way of ensur-ing that personnel stick to the brief is to design Microsoft Word and Excel tem-plates for a whole range of documents, from proposals to corporate presenta-tions, which include the relevant protec-tive marking in the footer.

“If someone writes a proposal, they start by opening the relevant template and, because everything’s embedded, they know right away if the document is confidential or not,” says Wood.

The value of education

Ensuring that users keep to requirements is a matter of ongoing awareness training and education campaigns, both of which

will be key to the success of the scheme. “It’s not just a case of having half an hour in a lecture room and saying ‘this is the new scheme, so use it’,” explains Gillespie. “You have to explain why it’s there, why it’s important and how they need to apply it and you have to tell them that on an ongoing basis.”

“It’s not rocket science. It’s just about using common sense and taking the time and effort to do it properly”

While marketing departments can be co-opted to help with such campaigns, workers must also be provided with a conduit for obtaining answers to any queries. Possible mechanisms here range from a FAQ on the corporate intranet to email addresses or telephone helplines that are routed directly to information security personnel.

Document management systems can be used to both embed classifications into files and enforce them. And there

are useful tools, such as those from Titus Labs. This software provides users with a pop-up dialogue box that includes clas-sification options when saving an email message for the first time.

Once the programme is finally up and running, the final step is to create effective governance procedures, which include regular audits and spot checks, in order to ensure that things continue to remain on track.

“The whole organisation has to stick to the classification scheme or there’s no point,” says Gillespie. “But it’s not rock-et science. It’s just about using common sense and taking the time and effort to do it properly.”

About the author

Cath Everett is a freelance journalist who has been writing about business and tech-nology issues since 1992. Her special areas of focus include information security, HR/management and skills issues, marketing and high-end software.

Going beyond the boundaries of compliance

From many perspectives this is not an unreasonable approach: organisations could spend a lot of money buying all of the security products they can find and still not be bulletproof. And even if they achieve a high level of security, the economics of such actions simply do not make sense. Complying with recognised

standards is a necessary step and in doing so, CIOs effectively ensure that they keep up with best practice. Or do they?

In a recent research report commis-sioned by Thales and conducted by the Ponemon Institute, more than 500 audi-tors were surveyed, with roughly half representing internal IT security audit

teams and half representing independent external audit companies and consultan-cies.1 One of the initial findings was that only 32% said that the organisations they audit are proactive in managing privacy and data protection risks. The danger, however, is that this reactive, compliance-driven approach can leave organisations under-protected and con-stantly running to keep up.

Despite the agreement among auditors that organisations are mostly focused on compliance, 60% of respondents agreed

Jon Geater, Thales

Adherence to compliance standards is critical for most organisations, and as a result these standards often have a heavy influence in information security decision-making. There are numerous reason for this, but most importantly, IT professionals are looking for guidance and direction, and where better to look than industry standards?

Jon Geater

Page 2: Going beyond the boundaries of compliance

FEATURE

June 2011 Computer Fraud & Security9

that the companies they audit do not believe compliance improves their data security effectiveness. Moreover, 54% agreed that organisations use crypto-graphic security tools only as required to strictly achieve compliance and no more.

As a consequence of not making data security more of a priority, 51% of the auditors also said that on average, more than half of audits they have conducted have had serious deficiencies or failed data security compliance requirements.

Keeping ahead of threatsSecurity threats evolve too rapidly for regulations to keep up: it’s impossible for them to represent the very forefront of global security attack and defence methods. This can be a problem when mainstream security adoption typically catches up with best practice only when the compliance mandates are updated. Threats and defences have evolved hand-in-glove over the years but the long-term story tells us that compliance necessarily lags behind the curve.

“Businesses’ confidential information, health informa-tion and financial or account-ing information and payment transactions were considered to be the most important types of information to encrypt”

At one time, the firewall was everything – the impregnable ring of steel that kept all the good stuff in and the bad guys out. But with the rise in rich content and web applications, no amount of user educa-tion could stop those tempting email attachments from being opened, resulting in the growth in popularity of additional defences such as corporate anti-virus and password management.

At the same time, businesses and indi-viduals started to share more and more information across virtual boundaries and compliance mandates around data

confidentiality began to emerge. And so encryption and other uses of cryptogra-phy entered the mainstream, becoming essential components of data protection strategy and compliance. Some 71% of auditors surveyed in the study believed that an organisation’s information assets cannot be fully protected without the use of cryptography, even within the cor-porate boundary.

In addition, 82% think that encryp-tion has a role in protecting sensitive or confidential data at some point in its lifecycle and 81% said this information should be encrypted whenever practi-cal. Businesses’ confidential informa-

tion, health information and financial or accounting information and payment transactions (including credit cards) were considered to be the most important types of information to encrypt.

The research also revealed that certain compliance requirements are more dif-ficult to achieve than others. Top of the list came restricting access to confidential data on a need-to-know basis, shown to be both the most difficult compliance requirement to achieve and also the most important. The use of firewalls and pro-tection of data as it flows through public networks is still viewed as extremely important – the report shows no sign

Figure 1: How the use of crypto solutions favourably influences auditors’ perceptions. Source: Ponemon/Thales.

Figure 2: Comparison of internal and external auditor perceptions about the state of compliance. Source: Ponemon/Thales.

Page 3: Going beyond the boundaries of compliance

FEATURE

Computer Fraud & Security June 201110

that these defences should be replaced in any way – it is simply that these tech-nologies are only a part of a complete security story.

Key management

Recent high-profile security incidents have led to the realisation that encryp-tion is no silver bullet and key manage-ment is in fact more critical than its relatively low visibility in mainstream enterprises would imply.

Arguably, many mainstream encryp-tion and signing compliance mandates haven’t historically regulated key man-agement, resulting in organisations failing to adopt best practices. Software key storage or lax access control, poor selection of keys and protocols and thefts

of key material frequently make the headlines. This shouldn’t be surprising: by definition those in the mainstream cannot be experts in cryptography. But that’s no excuse – the security industry and individual industry regulators have a responsibility to fix this.

When auditors were asked to iden-tify the most pressing issues of encryp-tion key management in the Thales and Ponemon study, top of the list was the administration of key management systems (29%), protecting stored keys (20%) and controlling the use of keys (19%). These findings demonstrate that the tide is turning and we are now seeing a growing awareness in the wider CIO community of the impor-tance of key management. In support of this, compliance mandates which

were focused on encryption are now being updated to incorporate key man-agement.

From PCI-DSS for payment security, to the more traditional world of US fed-eral government security, we are seeing an increased sophistication in the specifi-cation of key management requirements.

“Over the coming years the quality of key storage, access control and management will come under increasing scrutiny”

Data breach notification rules (such as those in Nevada) have been explicitly and carefully updated with the realisa-tion that encryption is flawed without also applying a standard or due care to key management. Rules are evolving from simple and naive password use through encryption to explicit mandates on key management.

“Over the coming years the quality of key storage, access control and management will come under increasing scru-tiny in all areas of the infor-mation society and lax key management will be viewed as a fault, not an innocent mistake”

In many cases these changes are made to improve the security of systems and actually reduce the risk of breaches (such as the recommendation to use hard-ware devices). In line with emerging key management compliance initiatives, 79% of auditors recommend the use of a Hardware Security Module (HSM) instead of relying on software-based systems to protect keys and enforce key management policies. In other cases, this new understanding and acknowledgement of the role of key management enables business agility as standards and technolo-gies such as OASIS Key Management Interoperability Protocol (KMIP) make their way into body of the regulations.

Figure 3: The most difficult compliance requirements. Source: Ponemon/Thales.

Figure 4: The significance of crypto security solutions in meeting compliance requirements (combination of ‘very significant’ and ‘significant’ responses in survey). Source: Ponemon/Thales.

Page 4: Going beyond the boundaries of compliance

FEATURE

June 2011 Computer Fraud & Security11

Key management comes of age

The business benefits of this evolution of key management are clear. Not only does operating best practice greatly lower the risk posed by both external and internal threats, it also enables greater business performance through improved access management and new understanding of the role that key management plays within a company.

“just like encryption, key management best practice will never stand still. With a growing number of organi-sations moving data into the cloud, the industry needs to keep pace with the evolving information security environ-ment”

So now the secret is getting out: eve-ryone knows about key management and that simply encrypting data is no longer sufficient. Over the coming years the quality of key storage, access con-trol and management will come under increasing scrutiny in all areas of the information society and lax key man-agement will be viewed as a fault, not an innocent mistake.

Furthermore, just like encryption, key management best practice will never stand still. With a growing number of organisations moving data into the cloud, the industry needs to keep pace with the evolving information security environment.

What auditors think – the reportThe report, ‘What Auditors Think about Crypto Technologies’ surveyed 505 auditors of information security systems, information security auditors, qualified security assessors and EDP auditors. Some 44% of those surveyed had more than 10 years of experience, with 46% holding the CISA accredi-

tation and 24% acting as qualified security assessors (QSA) for PCI DSS audits.

The purpose of the research was to examine what auditors think about cryp-to technologies as applied to data protec-tion and compliance activities in private and public organisations.

Why are auditor opinions important? By virtue of their role, auditors iden-tify areas of greatest risk and influence around how organisations achieve their security objectives and mission. Thales believes there are very few research studies that seek out the opinions of auditors who have a unique perspective on the success or failure of today’s secu-rity strategies – which includes the use of crypto technologies such as encryp-tion, tokenisation and PKI.

The survey focused on the following issues:• The experience of auditors participat-

ing in the study. • The difficulty and importance of

organisations’ compliance with spe-cific requirements as defined by standards such as ISO, NIST, PCI DSS and others.

• The perceptions of auditors concerning data protection and crypto solutions.

Key findings included:• A large number of respondents said

their organisations are not taking data security seriously, and may not be allocating enough resources to achieve a reasonable state of compliance with laws and regulations, as well as a high security posture.

• In the world of compliance, busi-ness units rather than legal, IT or compliance, own the budget and thus determine whether or not to invest in audits.

• Audits may be failing in the areas that pose the greatest threat or risk to organisations.

• The primary purpose of audits appears to be the identification of risks and vulnerabilities rather than to deter-mine compliance with policies, laws or contractual agreements.

• Respondents say that restricting access to confidential data on a on a need-to-know basis is a very difficult compli-ance requirement to achieve. Other difficult requirements include the need to maintain secure systems and applications and protecting confiden-tial data at rest (in storage).

• Encryption is the hands-down favourite technology for achiev-ing data protection compliance. In fact, the overwhelming majority of respondents believe an organisation’s information assets cannot be fully protected without encryption or other crypto solutions.

• Encryption rather than tokenisation, suppression or masking appears to be viewed by respondents as the best technology for securing databases, data in storage, data in applications and data at point of capture, such as Point of Sale (POS) systems.

• Respondents admit that despite a favourable response to encryption, key management can be very chal-lenging in terms of meeting compli-ance requirements.

• Respondents express uncertainty about whether encrypted data in vari-ous venues is out of scope for most compliance audits.

About the author

Jon Geater is director of technical strat-egy for Thales. He also co-founded the OASIS Key Management Interoperability Protocol (KMIP) key management group and played an instrumental role in gaining approval of KMIP V1.0 as an OASIS standard in September 2010. Geater holds a BSc Hons in Computer Science.

References

1. ‘What Auditors Think about Crypto Technologies’. Ponemon Institute and Thales eSecurity, March 2011. <http://www.thales-esecurity.com/l/program/Ponemonreport.aspx>.

http://www.thales-esecurity.com/l/program/Ponemonreport.aspx
http://www.thales-esecurity.com/l/program/Ponemonreport.aspx

Arc Flash Analysis and NFPA 70E® Compliance: Going Beyond Labels

Arc Flash Analysis and NFPA 70E® Compliance: Going Beyond Labels

Education
GOING GLOBAL ONLINE: IMPORT AND CUSTOMS COMPLIANCE COURSE

GOING GLOBAL ONLINE: IMPORT AND CUSTOMS COMPLIANCE COURSE

Documents
DOT&PF Regional Boundaries Old Boundaries New Boundaries March 4th, 20152

DOT&PF Regional Boundaries Old Boundaries New Boundaries March 4th, 20152

Documents
Boundaries - Koorong · Boundaries Boundaries Workbook Boundaries audio Boundaries video curriculum Boundaries in Dating Boundaries in Dating Workbook Boundaries in Dating audio

Boundaries - Koorong · Boundaries Boundaries Workbook Boundaries audio Boundaries video curriculum Boundaries in Dating Boundaries in Dating Workbook Boundaries in Dating audio

Documents
Accenture Basel III Going Beyond Compliance

Accenture Basel III Going Beyond Compliance

Documents
Governance, Risk & ComplianceOn-going maintenance to ensure continuous compliance with regulations Powerful KYC Tracking tools and Analytics Regulatory Compliance – enforces policy

Governance, Risk & ComplianceOn-going maintenance to ensure continuous compliance with regulations Powerful KYC Tracking tools and Analytics Regulatory Compliance – enforces policy

Documents
Rewiring Our Workplace: Going Social & Collaborating Across the Boundaries

Rewiring Our Workplace: Going Social & Collaborating Across the Boundaries

Social Media
Going beyond boundaries: Doing interdisciplinary research in the rural urban fringe

Going beyond boundaries: Doing interdisciplinary research in the rural urban fringe

Environment
Pact Compliance Follow-up Manualnamaocerta.org.br/pdf/Manual_Indicadores_ingles.pdfPact Compliance Follow-up Manual Together we are going to wipe out child and adolescent sexual exploitation

Pact Compliance Follow-up Manualnamaocerta.org.br/pdf/Manual_Indicadores_ingles.pdfPact Compliance Follow-up Manual Together we are going to wipe out child and adolescent sexual exploitation

Documents
Boundaries, Boundaries Everywhere! - IFPUG€¦ · Boundaries, Boundaries Everywhere! 2011 Thomas Cagley, Vice President t.cagley@davidconsultinggroup.com David Consulting Group Liberty

Boundaries, Boundaries Everywhere! - IFPUG€¦ · Boundaries, Boundaries Everywhere! 2011 Thomas Cagley, Vice President [email protected] David Consulting Group Liberty

Documents
Active Directory Boundaries - Purpose Replication Boundaries Security Boundaries

Active Directory Boundaries - Purpose Replication Boundaries Security Boundaries

Documents
Divergent Boundaries Convergent Boundaries Transform Boundaries

Divergent Boundaries Convergent Boundaries Transform Boundaries

Documents
BEYOND BOUNDARIES: Asian firms going global Ranajit Dam Southeast Asia Editor Asian Legal Business magazine

BEYOND BOUNDARIES: Asian firms going global Ranajit Dam Southeast Asia Editor Asian Legal Business magazine

Documents
Computer Science Engineering Lee Sang Seon. Introduction Basic notions for temporal video boundaries Micro-Boundaries Macro-Boundaries Mega-Boundaries

Computer Science Engineering Lee Sang Seon. Introduction Basic notions for temporal video boundaries Micro-Boundaries Macro-Boundaries Mega-Boundaries

Documents
Paperless HR: Going Green While Staying In Compliance

Paperless HR: Going Green While Staying In Compliance

Business
Environment Law, Regulation, Governance: Shifting ...of going „beyond compliance‟ ... Incorporates pollution prevention, internal compliance auditing, and compliance assurance

Environment Law, Regulation, Governance: Shifting ...of going „beyond compliance‟ ... Incorporates pollution prevention, internal compliance auditing, and compliance assurance

Documents
BALLAST WATER MANAGEMENT COMPLIANCE · MARINE VESSEL OPERATOR t BALLAST WATER MANAGEMENT COMPLIANCE D O ... Ocean Going ... Barges, ATBs, Chemical/Tank

BALLAST WATER MANAGEMENT COMPLIANCE · MARINE VESSEL OPERATOR t BALLAST WATER MANAGEMENT COMPLIANCE D O ... Ocean Going ... Barges, ATBs, Chemical/Tank

Documents
Going Above & Beyond ADA Compliance - Home - …€¦ · FEBRUARY/MARCH 2014 CAMPUS SAFETY 1 October 2014 Vol. 22, No. 6 campussafetymagazine.com Going Above & Beyond ADA Compliance

Going Above & Beyond ADA Compliance - Home - …€¦ · FEBRUARY/MARCH 2014 CAMPUS SAFETY 1 October 2014 Vol. 22, No. 6 campussafetymagazine.com Going Above & Beyond ADA Compliance

Documents
Enterprise Engineering Excellence (E3) Valueware Technologies India Pvt Ltd. Going Beyond Compliance

Enterprise Engineering Excellence (E3) Valueware Technologies India Pvt Ltd. Going Beyond Compliance

Documents
Domestic Violence Compliance Courts vs. …...Nuts and Bolts: Community Stakeholders and Communication Frequency of stakeholder meetings Compliance Calendar Information On-going problem

Domestic Violence Compliance Courts vs. …...Nuts and Bolts: Community Stakeholders and Communication Frequency of stakeholder meetings Compliance Calendar Information On-going problem

Documents
Going SMART! Delivering long-term prosperity - within planetary boundaries

Going SMART! Delivering long-term prosperity - within planetary boundaries

Business
Going Beyond Boundaries | Jindal Steel & Power Limited

Going Beyond Boundaries | Jindal Steel & Power Limited

Business
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Technology
Going Beyond Boundaries - Bombay Stock Exchange€¦ · Going Beyond Boundaries Jindal Steel & Power Limited ANNUAL REPORT 2009-10. Contents Our new logo The Jindal Flag is a symbol

Going Beyond Boundaries - Bombay Stock Exchange€¦ · Going Beyond Boundaries Jindal Steel & Power Limited ANNUAL REPORT 2009-10. Contents Our new logo The Jindal Flag is a symbol

Documents
07152011 Rrpp Going Beyond Compliance

07152011 Rrpp Going Beyond Compliance

Documents
GOING BEYOND THE VISION LOSS BOUNDARIES Michal Tvarožek, Martin Adam, Michal Barla, Peter Sivák, Mentor: Prof. Mária Bieliková

GOING BEYOND THE VISION LOSS BOUNDARIES Michal Tvarožek, Martin Adam, Michal Barla, Peter Sivák, Mentor: Prof. Mária Bieliková

Documents
Boundaries Boundaries

Boundaries Boundaries

Education
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)

Going Beyond Cross Domain Boundaries (jQuery Bulgaria)

Software
BEYOND BOUNDARIES: Asian firms going global

BEYOND BOUNDARIES: Asian firms going global

Documents
Going beyond compliance : Safety leadership in the boardroom

Going beyond compliance : Safety leadership in the boardroom

Leadership & Management