New laws to drive '04 security agenda

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,87002,00.html

Story by Jaikumar Vijayan 
NOVEMBER 10, 2003 
COMPUTERWORLD 

WASHINGTON -- The need to comply with an array of complex data laws
will dominate the security agenda in 2004, according to attendees at
the Computer Security Institute conference here last week.

As in previous years, IT security managers expect to spend
considerable time and resources fending off destructive intrusions and
insider threats.

But the most daunting challenge will be dealing with laws such as the 
Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, California's SB 1386 
privacy law and international data integrity and privacy laws, they 
said. As a result, the emphasis will be on issues such as policy 
management and enforcement, benchmarking against standards, incident 
response, forensics and monitoring for insider threats. 

"As far as my business and industry in general goes, the single 
biggest driver is compliance with all the new data and privacy laws," 
said Michael Kamens, global network security manager at Thermo 
Electron Corp., a $2 billion manufacturer of scientific equipment in 
Waltham, Mass. 

As a publicly traded U.S. manufacturer with multinational operations, 
Thermo has to deal with compliance issues ranging from Sarbanes-Oxley 
to a Chinese encryption requirement that involves filling out forms in 
Mandarin. "It is requiring me to quadruple the effort that I have to 
put in on a daily basis to ensure that my company is in compliance and 
that I'm safeguarding its good name," Kamens said. 

United Government Services LLC, a Milwaukee-based provider of 
administrative and consulting services for publicly funded health care 
systems, is governed by 400 security requirements issued by the 
Centers for Medicare and Medicaid Services. Meeting all of them will 
be a "very large driver" of security efforts next year, said systems 
security officer Todd Fitzgerald. 

For the most part, the efforts will focus not on technology 
improvements but on implementing security policies and management 
processes to ensure regulatory compliance. "It's a process that will 
involve spending a lot more time working with management and end 
users, educating them on what the security risks are," Fitzgerald 
said. 

Third-party connectivity issues are a priority at St. Jude Medical 
Inc. in St. Paul, Minn. 

As a $1.6 billion manufacturer of cardiovascular equipment, with 15 
facilities worldwide and customers in 120 countries, St. Jude has to 
make sure it avoids liability for security breaches involving its 
supply chain or business partners, said David Stacey, global IT 
security director. 

"Regulation is a massive issue, and most organizations are clearly not 
ready to deal with the myriad issues and details involved," said Ben 
Rothke, a senior security consultant at Thrupoint Inc., a management 
services company in New York. 

Complying with data regulations will mean turning traditional notions 
of the IT security function and its role within organizations upside 
down, said Terri Curran, director of research at the Center for 
Digital Forensic Studies Ltd. in Auburn Hills, Mich. 

"CSOs in the near future are going to have to get more creative about 
things like privacy, risk acceptance, forensics, industry-related 
regulations, and state and federal laws that are really going to 
affect them," Curran said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.