IT Compliance Institute, March 20, 2007:

Trends and Technologies

Beyond SOX and Endpoint Security: Six Emerging Trends in Compliance

Spending on SOX, Vista apathy, and endpoint security dominated our 2006 predictions for compliance. Learn how the landscape is shifting for 2007.

By Mathew Schwartz

Last year, Sarbanes-Oxley (SOX) dominated companies’ compliance efforts, organizations increasingly adopted endpoint security, data breaches grew epidemic, and experts warned companies Microsoft's operating system Vista would be no silver bullet for compliance or security efforts.

Here’s what’s changed from 2006, and what experts predict for the coming year:

1. Targeted Attacks Escape Detection

For some time, attackers have been using malware to exploit PCs, turn them into zombie computers, and create large, distributed bot networks, especially for distributing spam and malware. Phishing attacks have also become so prevalent and sophisticated that some financial institutions report their losses related to online fraud increased five-fold from 2005 to 2006.

Increasingly, however, attackers are launching more targeted, stealthy attacks aimed at stealing people’s lucrative personal information. The emerging, frightening truth is that the scarcity of targeted attacks means the intrusions often go undetected by security researchers or vendors. The result is companies are left wide open to attack, which of course is the attackers’ ultimate goal. “More bad guys are learning, let’s not be overly greedy, it’s easy to do this and get away with it if we don’t try to do too much at once. If we just do it slow and steady, we’ll make off with a lot more and have a better chance of getting away with it,” notes Michael Gavin, security strategist at Security Innovation.

2. Breached Data: 100 Million Records and Counting

Driven by such targeted attacks, data breaches have reached epic proportions over the past few years. Indeed, the Privacy Rights Clearinghouse now estimates, since it started tracking data breach disclosures in February 2005, that the total number of potentially breached records surpassed 100 million by the end of 2006. Perhaps the most high-profile recent example is the TJX Companies’ disclosure that its network was hacked sometime in 2003, and the attack was not discovered until 2006.

Such a disclosure, of course, is only the result of laws on the books in over 30 states—inaugurated by California SB 1386 in 2002—requiring any organization to disclose a data breach which affects their residents. Meanwhile, efforts to pass a national data breach and consumer protection law of at least equal strength to the states’ laws has so far failed.

Even so, current data breach repercussions can be extensive. Due to clean-up efforts, consumer notification services, legal fees, and customer defections, a single breach can result in millions of dollars of direct costs and lost revenue for an organization. As a result, companies are increasingly doing everything possible to safeguard all sensitive consumer or employee data, to avoid ever having to make the reputation crushing data breach notification.

3. Revisiting Compliance Controls

The first several years of SOX involved a mad dash to get needed IT controls in place to ensure compliance. Firms typically first instituted manual controls, and have been steadily replacing those controls with automated ones, to create more easily repeatable, demonstrable, and cost-effective compliance.

Unfortunately, many of these controls are actually ineffective, claims Forrester Research analyst Michael Rasmussen in a recent report. The problem: “In a rush to avoid being fitted for orange jumpsuits, firms don’t devote nearly enough consideration to the adequacy of the controls that compliance teams are implementing.” Rather, many companies rely on one-size-fits-all checklists of controls—“because firms all want a ‘get out of jail free’ card that assures their executives that if they do these three things in order, litigators and regulators will leave their companies alone.”

As a result, he says, “many compliance teams have implemented controls that may not make sense for their businesses.” Thus controls are either overblown, which siphons off valuable IT time and resources; or more often insufficient, which leaves organizations vulnerable to attack, as well as potentially noncompliant with regulations. Hence as regulations mature, expect auditors to take a much closer look at whether in-place controls actually do the job.

4. Better Compliance through Improved Security

On that note, experts have long argued that compliance efforts don’t automatically result in improved security. Many companies, however, didn’t seem to listen. According to new research by Forrester Research analyst Khalid Kark, “most organizations increased their regulatory spending while decreasing their security budgets and postponing security initiatives, thinking that regulatory compliance would lead to better security.” Yet “in a lot of cases,” he says, “this assumption was not true.” Furthermore by forsaking sufficient information security investments, many firms are now at increased risk from today’s more virulent and targeted attacks.

Expect firms to now play catch-up. Forrester predicts security spending in North America—as a percentage of the overall IT budget—will increase by 7.5 percent in 2007, after declining from 8.5 percent of the IT budget in 2004, to 6.9 percent in 2006.

5. PCI Overshadows SOX

Increased security spending will also be needed to comply with the Payment Card Industry Data Security Standard (PCI DSS) version 1.1, which was released in September 2006. The PCI DSS is a security standard that was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help mitigate emerging payment security risks, while facilitating the broad adoption of payment account data security. Simply put, PCI specifies minimum policies, procedures, data security, network architecture, and more for any merchant handling credit card data.

Unlike SOX, which many deride as being so vague that many auditors aren’t even sure what it requires, experts say PCI is a model of clarity, clearly spelling out what companies must do. For example, “PCI really addresses all the system components that are involved in the network, whether a firewall, router, or anything connected to the network. Anything that comes in contact with cardholder data has to be secured,” notes Ellen Libenson, vice president of product management at Symark Software.

Noncompliance with PCI can lead to fines and a revocation of credit card processing capabilities, which can have substantial business repercussions. Visa has established monetary rewards for compliance. Visa’s PCI Compliance Acceleration Program (CAP), announced December 12, 2006, promises banks financial rewards and lower processing fees if they can ensure merchant compliance with major PCI requirements. In addition to cash incentives, the program offers lower interchange rates, transaction processing fees that banks pay for credit card transactions. Visa expects banks to pass these incentives on to merchants. Other card companies are expected to follow the path set by Visa. As a result, many companies are now making a concerted push to become PCI-compliant.

“PCI to me has become the new SOX,” says Chris Farrow, director for Configuresoft’s Center for Policy and Compliance. “SOX has really toned down in terms of its appearance in the media and priority for a lot of organizations. After the first Enron, WorldCom, and Tyco guys, how many people have gone to jail? Not many. It doesn’t have the teeth it used to. Lobbyists continue to push to get SOX toned down. Small businesses keep getting extension after extension, and people are complaining SOX costs too much money to comply.”

6. Insider Threat Drives Access Controls

So what do Medco, DuPont, and Compulinx have in common? All suffered security breaches due to insiders. At Medco, for example, an IT administrator attempted to launch a logic bomb to delete internal information; it failed. Meanwhile at Compulinx, the CEO reportedly—and fraudulently—used employees’ personal information for credit purposes.

Of course insider breaches are not new, with some studies estimating insiders account for up to 85 percent of all security breaches. The threat is straightforward and typically pervasive: the average employee has access to too much information. Indeed, employees rarely lose access to databases, servers, or applications, and often just acquire more as new systems appear, and their job responsibilities evolve.

To comply with regulations, and especially laws which mandate need-to-know access to sensitive information—including HIPAA, SOX, and PCI—companies now have a clear mandate, says Forrester’s Kark: “CISOs must be able to identify the sensitive information and ensure that it has the appropriate amount of protection to prevent against data disclosure and security breaches.” Expect companies to expend significant energy this year trying to learn where their sensitive data lives, so they can restrict and audit access accordingly.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.