Meeting and staying on top of compliance regulations is a big challenge for every IT department. Thanks to new regulations and updates, 2012 is set to take this task to the next level and increase the pressure on organizations to get their house in order.
Most notable is the new version 2.0 of PCI DSS, which the PCI Council brought into effect on January 1. There are a great number of merchants who are still unprepared for this despite reminders and pressure from card providers to get up to speed. There are seven key changes in PCI version 2.0, such as not disclosing private IP addresses and routing information to unauthorized parties and establishing processes to identify and assign a risk ranking to newly discovered security vulnerabilities.
There are also a number of minor clarifications to the existing requirements, some of which are very important. For example, if you store a customer’s primary account number (PAN) on a credit card, it now must be rendered unreadable. It is also important to verify that you are meeting all the requirements appropriately and consult with your acquirer for additional clarifications.
There’s limited time left for PCI DSS 2.0 compliance and some of these changes require significant time to implement, so organizations cannot afford to procrastinate – they need to start working toward these goals now.
Updates to the European Union’s Privacy and Electronic Communications Directive are something else to keep an eye out for – throughout this year. For example, in January we saw major changes proposed to the way in which companies manage their data privacy. Proposals included the requirement for private companies to notify the authorities and the individuals concerned, if they suffer a data breach, within 24 hours.
I anticipate further changes to come, especially regulations around web user privacy, which are set to become much tighter. From a global perspective, law-makers will put more pressure on organizations by increasing the penalties for breaches and holding them more accountable for consumer data. Companies will need to get much more proactive in monitoring their user data, employ better security controls, and follow tighter processes in order to be compliant with various existing and new regulations.
Specific regulations aside, it’s important to remember that achieving compliance is just a means to an end, and not the end itself. The ultimate goal is to get your infrastructure secure so you can protect your customer and employee data from hackers. Focus on security first and compliance will follow automatically.
One of the biggest problems I find is when companies have focused on getting compliance “done” – essentially viewing it as a box-ticking exercise and making the technology fit, rather than taking a step back and looking at the bigger picture, business processes, and so on. The reality is that compliance is an ongoing process that organizations need to keep on top of because scope and requirements change on a frequent basis.
Getting a checkbox for compliance can get you in trouble. Compliance doesn’t necessarily mean security. Strong security should usually result in compliance and a positive impact on the business. Stay secure.
Guy Churchward, CEO, joined LogLogic in 2009 from NetApp, where he served as NetApp’s vice president and general manager of their Data Protection Group. Prior to NetApp, Churchward was VP & GM of BEA’s Weblogic Products Group and ran several business units, including Server, Portal, JavaVM, Virtualization, Eventing, Realtime and RFID. Churchward’s career spans more than 20 years in the IT industry, with a bias on applications and data infrastructure, concentrating heavily on virtualization and cloud for the last five years. He previously held senior management positions at Sun Microsystems (formerly Tarantella inc.), Santa Cruz Operations (Formerly IXI), Accenture (formerly Binder Hamlyn) and Olivetti. Churchward holds an executive MBA from Stanford Business School and studied computer science at Cambridge Tutors College, UK.