Scribd Logo
Unggah

Selamat datang di Scribd!

  • Government Regulation in It Security

    Diunggah oleh

    williamshowalter
    19 tayangan5 halaman
    As it stands in 2010, there is little government regulation, federal or state, in the security world. Most regulation in information technology security thus far has been done by private sector organizations. The largest amount of this type of regulation can be observed in the payment card industry.

    Deskripsi Asli:

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    As it stands in 2010, there is little government regulation, federal or state, in the security world. Most regulation in information technology security thus far has been done by private sector organizations. The largest amount of this type of regulation can be observed in the payment card industry.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    19 tayangan5 halaman

    Government Regulation in It Security

    Diunggah oleh

    williamshowalter
    As it stands in 2010, there is little government regulation, federal or state, in the security world. Most regulation in information technology security thus far has been done by private sector organizations. The largest amount of this type of regulation can be observed in the payment card industry.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 5

    GovernmentregulationinInformationSecurity

    WilliamShowalter

    USGovernment Period3 December16,2010

    Informationtechnologysecurityisanevolvingfieldthatfacesnumerouspossiblefuturesas governmentandprivateregulationscontinuetodevelop.Informationtechnologysecurity,orCyber security,istheprotectionofinformationsystemsfromcyberattacks,includingviruses,worms, unauthorizedaccess,andcontrolsystemattacks.Asitstandsin2010,thereislittlegovernment regulation,federalorstate,inthesecurityworld.Thestrongestregulatorylegislation,namelythe FederalInformationSecurityManagementActof2002(FISMA),appliesonlytotheinformation systemsusedoroperatedbyU.S.federalgovernmentagenciesandcontractorsorotherorganizations onbehalfoffederalagencies.Mostregulationininformationtechnologysecuritythusfarhasbeen donebyprivatesectorregulatoryorganizationssettingindustrystandardsforcompliance.Thelargest amountofthistypeofregulationcanbeobservedinthepaymentcardindustry. Manyviewgovernmentregulationframeworksasencouragingorganizationstoonlymeetthe minimumrequirementsofcompliance.ThepresidentofRSA,ArtCoviello,spokeofcompaniesin 2009,Theyfocustoomuchonachievingtechnicalcompliancewithgovernmentregulations,rather thanonminimizingtherisksthoseregulationsaremeanttoaddress.1Thesebehaviorshavealso beenseenwiththesecuritymeasuresputinplacebythePaymentCardIndustryDataSecurity Standard(PCIDSS).ThePCISecurityStandardsCouncilwascreatedbyAmericanExpress,MasterCard Worldwide,andVisaInternational,amongothers,tohelpthepaymentcardindustrypreventcredit cardfraudandtheft.2Allorganizationshandlingcardtransactionsmustbeassessedannuallyfortheir compliancewiththestandard.SomecompaniescriticizetherequiredPCIDataSecurityStandard, sayingthatthecostofmeetingcomplianceisgreaterthanthepotentialriskinvolvedwithout compliance.However,manycompaniesbelievethecostofmeetingcomplianceisjustifiable.

    1 Wade Roush, Balancing Computer Security and Innovation - A Talk with RSA's Art Coviello,
    http://www.xconomy.com/boston/2009/06/29/balancing-computer-security-and-innovation-a-talk-with-rsas-art-coviello (June 2009)

    2 PCI Security Standards Council, PCI SSC Data Security Standards Overview, https://www.pcisecuritystandards.org/security_standards/index.php (2010)

    CompliancevalidationforlargerorganizationsiscarriedoutbyaQualifiedSecurityAssessor(QSA),an individualmeetingthetrainingrequirementsputinplacebythePCISecurityStandardsCounciland employedbyaPCIapprovedauditingfirm.PCIQSAMartinMcKeaysaysthatclientsoftenhavea checklistmentalitywhenitcomestotryingtomeetcompliance.Theyonlywanttomeetthebare minimumrequirementsinsteadofimprovingtheirsecurityinearnest.McKaeywritesthat,Wesee alltoomanyclientswhojustwanttohavetheirPCIassessmentandthenignorethewholethingfor thenext810months,untilthewholeprocessstartsoveragain.TheydontwanttothinkaboutPCIat allduringthattime,theydontrealizethatthereareanumberofrequirementsthatmandate continuingeffortonadailybasis,notjustwhentheassessorisonsite. Softwarecompaniesmayalsofaceregulationinthefutureaboutsecurityvulnerabilitiesin theirsoftware.Todaythelargestvectorforcyberattacksisexploitingvulnerabilitiesincommon programs,suchasAdobeReader(PDFfiles),MicrosoftOffice(DOC,XLSfiles),andwebbrowsers (InternetExplorer,MozillaFirefox).Manysecurityprofessionalsbelievethateconomicincentives shouldbeusedtomotivatesoftwaredesigners.Itisyetunclearhowtheseincentiveswouldbe administeredifcreated.Thereislittleproposedlegislationinthisdirection,butSenatorJohn Rockefellerintroducedabillinearly2009thatproposedproposedtaxcutsforvendorswhose softwaremeetscertainsecuritycriteria.3Manysoftwarevendorsarguethatregulationwouldreduce theirabilitytoadapttothechangingthreatsincyberspace.Itisalsobelievedthatsoftwarevendors opposeregulationbecauseitiscostly. Otherproposedlegislationincludesbillsthatrequirescompaniestoreportdatabreachesand informtheircustomers.Thereisnofederallawinplacemandatingbreachnotification,butseveral stateshaveadoptedsecuritybreachlaws,includingCalifornia,whichbecamethefirststatetopassa
    3 Kenneth Corbin, InternetNews.com Realtime IT News, http://www.internetnews.com/security/article.php/3827296/Feds-MullingIncentives-for-Secure-Software.htm (June 2009).

    breachlawin2003.4Companiesthatexperiencebreachestendtobereluctanttoreleaseinformation. Thecompaniescanbebothembarrassedandafraidtoloosethepublicsconfidence.California passedaBill5torevisetheirnotificationlawin2009,buttherevisionwasvetoedbyGovernor Schwarzenegger.Therevisionaimedtoprovidecustomerswithmoreinformationaboutthebreaches inordertoallowthemtomakeinformeddecisionsaboutwhatriskthebreachmaypresent.Itwould havealsorequiredthatanysinglebreachthataffectedmorethan500individualsbereportedtothe attorneygeneral. Inconclusion,governmentregulationdoesnotmakecompaniesaimtobemoresecure,butit doesgetthemtomeetregulatorystandards.Thesestandardsaregenerallymoresecurethanthe policiescompanieswouldvoluntarilyadopt.Therearestrongargumentsbothforandagainst governmentregulationofsecurityintheprivatesector.Thoseforregulationseeitasthe government'sresponsibilitytoprotecttheeconomyandthebestsolutionformotivatingthe companiesthatdonotviewtheexpenseasjustified.Thoseagainstregulationsayitstiflesinnovation andgoesagainsttheprincipalsoffreeenterprise,eventhoughregulationisanintegralpartofthe U.S.'smixedeconomy.Regardlessofone'sstanceonthesubject,itisclearthatthegovernmentis goingtoplayagrowingroleinthecybersecurityfieldmovingforward.

    4 Kim Zetter, California Looks to Expand Data Breach Notification Law, http://www.wired.com/threatlevel/2009/03/calooks-to-exp/ , (March 2009) 5 Senate Bill 1166

    WorksCited Corbin,Kenneth.FedsMullingIncentivesforSecureSoftware.InternetNews.comRealtimeIT News.N.p.,26June2009.Web.14Dec.2010. <http://www.internetnews.com/security/article.php/3827296/FedsMullingIncentives forSecureSoftware.htm>. McKeay,Martin.ItsfrustratingbeingaQSA,butsometimesitsrewarding.NetworkSecurity Blog.N.p.,28Mar.2010.Web.14Dec.2010.<http://www.mckeay.net/2010/05/28/its frustratingbeingaqsabutsometimesitsrewarding/>. PCISSCDataSecurityStandardsOverview.PCISecurityStandardsCouncil.N.p.,n.d.Web.14 Dec.2010.<https://www.pcisecuritystandards.org/security_standards/index.php>. Roush,Wade.BalancingComputerSecurityandInnova onATalkwithRSAsArtCoviello. Xconomy.N.p.,29June2009.Web.14Dec.2010. <http://www.xconomy.com/boston/2009/06/29/balancingcomputersecurityand innovationatalkwithrsasartcoviello/>. Zetter.CaliforniaLookstoExpandDataBreachNotificationLaw.Wired.N.p.,6Mar.2009. Web.14Dec.2010.<http://www.wired.com/threatlevel/2009/03/calookstoexp/>.

    Anda mungkin juga menyukai