Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Wednesday 21 May 2008, 5:45 PM
Should We Object to the Recent Tide of Data Legislation?
It was interesting to read in this morning’s Guardian objections to proposals for the Data Communications’ Bill (http://www.guardian.co.uk/technology/2008/may/21/freedomofinformation.civilliberties) to create a central database of recorded telephone calls, emails and web site visits made in Britain. This comes on the back of proposals late last month making it a criminal offence to carelessly lose or release personal data, an amendment to the criminal justice and immigration bill. There is also a lot of debate over whether legislators here should pick up on what has become known as the “California Law”—actually being enacted in several US states—requiring companies to disclose major breaches involving personal data to the people who have been affected. The fact that legislators are jumping into the fray on the sudden public and business concern over data security shouldn’t come as a surprise. It is natural for government to respond to what its constituents are thinking about. And for each proposal there will be pros and cons. Those of us working in information security can evaluate these as security professionals and as individual citizens.
As a citizen I would want to know if a company had been negligent with my data. I would probably want to see some sort of justice to make sure it doesn’t happen again. As a professional I can appreciate that disclosure can make the victim as well as the company more vulnerable and less secure in the end.
Clearly society needs the ability to properly investigate online criminal activity. A data base could certainly make this easier. But who would have access and what could be the unintended results? The legislators behind Regulation of Investigative Powers Act (RIPA) had not intended to help councils monitor whether parents actually lived in their child’s school catchment area, but this is exactly what Poole Borough Council did.
Legislators will continue to evolve our laws to account for the way in which we now live and work with information. The devil will be in the detail of how laws are written, interpreted and applied, and as experts in the field, information security professionals may well have to play an active role in managing this risk. Rather than objecting it may be better to get involved in shaping the outcome.
John Colley, CISSP
Managing Director, EMEA, (ISC)2 Europe
Thursday 17 April 2008, 1:34 PM
Security is moving beyond the perimeter
I was reading some of the early results from our 2008 (ISC)2 Global Information Security Workforce Study recently and was quite interested to see that more companies are deploying cryptography and storage security.
It seems we’ve finally moved away from the perimeter and are focusing on the data that’s inside it.
Of course the edge of the network is still important. Firewalls, intrusion detection and identity and access management are still more widely deployed by the 6,523 certified information security professionals surveyed globally for the survey. The majority of organizations have good perimeter security technologies in place.
It’s what’s driving this change that’s most interesting. I believe increasing compliance and greater awareness of it by top level management is one of the main drivers. Company bosses know that if they lose confidential data it could not only leave them liable, but it could damage customer relationships, business reputation and future growth. There’s nothing like threat of jail or business failure to get the CEO to sit up and ask what’s being done to secure customer data. The other driver is probably the payment card industry data storage standards (PCI DSS). These standards are being mandated by Mastercard and VISA and are impacting on any organization that transacts money online. It’s iteresting that the suppliers are dictating security standards to their customers.
Securing specific data with encryption and storage security such as access controls is also a response to more and more companies falling foul of their customers by letting lapse security procedures put data at risk (e.g. TK Maxx last year, HMRC last month and HSBC last week).
I will be discussing the full results at INfosecurity Europe on Tuesday 22nd April in the keynote theatre at 15:45.
John Colley
(ISC)2 Managing Director, EMEA
