New laws to drive '04 security agenda
Dealing with new policies trumps technology, security administrators say
Computerworld - WASHINGTON -- The need to comply with an array of complex data laws will dominate the security agenda in 2004, according to attendees at the Computer Security Institute conference here last week.
As in previous years, IT security managers expect to spend considerable time and resources fending off destructive intrusions and insider threats.
But the most daunting challenge will be dealing with laws such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, California's SB 1386 privacy law and international data integrity and privacy laws, they said. As a result, the emphasis will be on issues such as policy management and enforcement, benchmarking against standards, incident response, forensics and monitoring for insider threats.
"As far as my business and industry in general goes, the single biggest driver is compliance with all the new data and privacy laws," said Michael Kamens, global network security manager at Thermo Electron Corp., a $2 billion manufacturer of scientific equipment in Waltham, Mass.
As a publicly traded U.S. manufacturer with multinational operations, Thermo has to deal with compliance issues ranging from Sarbanes-Oxley to a Chinese encryption requirement that involves filling out forms in Mandarin. "It is requiring me to quadruple the effort that I have to put in on a daily basis to ensure that my company is in compliance and that I'm safeguarding its good name," Kamens said.
United Government Services LLC, a Milwaukee-based provider of administrative and consulting services for publicly funded health care systems, is governed by 400 security requirements issued by the Centers for Medicare and Medicaid Services. Meeting all of them will be a "very large driver" of security efforts next year, said systems security officer Todd Fitzgerald.
For the most part, the efforts will focus not on technology improvements but on implementing security policies and management processes to ensure regulatory compliance. "It's a process that will involve spending a lot more time working with management and end users, educating them on what the security risks are," Fitzgerald said.
Third-party connectivity issues are a priority at St. Jude Medical Inc. in St. Paul, Minn.
As a $1.6 billion manufacturer of cardiovascular equipment, with 15 facilities worldwide and customers in 120 countries, St. Jude has to make sure it avoids liability for security breaches involving its supply chain or business partners, said David Stacey, global IT security director.
"Regulation is a massive issue, and most organizations are clearly not ready to deal with the myriad issues and details involved," said Ben Rothke, a senior security consultant at Thrupoint Inc., a management services company in New York.
Complying with data regulations will mean turning traditional notions of the IT security function and its role within organizations upside down, said Terri Curran, director of research at the Center for Digital Forensic Studies Ltd. in Auburn Hills, Mich.
"CSOs in the near future are going to have to get more creative about things like privacy, risk acceptance, forensics, industry-related regulations, and state and federal laws that are really going to affect them," Curran said.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts