Recently I hosted a webinar about the regulatory landscape for vulnerability assessments in systems that manage or store sensitive data. Over time, we’ve seen more and more regulatory scrutiny coming into effect. It’s expanding every year and ranges across industries. A very brief description of several of these might be helpful in understanding how far-reaching these regulatory changes are.
The regulatory requirements come from the Health Insurance Portability & Accountability Act (commonly known as HIPAA, which continues to be revised as the threat landscape transforms). HIPAA requirements provide privacy and security provisions for safeguarding your medical information. The Sarbanes-Oxley Act (which you may see shortened to SOX or Sarbox, also known as the “Public Company Accounting Reform and Investor Protection Act” in the Senate and “Corporate and Auditing Accountability and Responsibility Act” in the House of Representatives) set new or expanded requirements for all United States public company boards, management, and public accounting firms, but also included provisions that apply to privately held companies. The Gramm–Leach–Bliley Act (GLBA) made many changes in financial industry regulations, but also included governance for the collection, disclosure, and protection of consumers’ nonpublic personal information.
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority that assures the reliability of the bulk power system in North America. The NERC Critical Infrastructure Protection plan consists of nine standards covering the security of electronic perimeters, physical security of critical cyber assets, personnel and training, security management, disaster recovery and more. The Federal Information Security Modernization Act (FISMA) defines the framework to protect government information, operations, and assets against natural or man-made threats. The Payment Card Industry Data Security Standard (PCI DSS) increases controls around cardholder data to reduce credit card fraud, something that we can all appreciate following breaches with Target, Home Depot and more.
Vulnerability Assessments
All of these regulatory requirements increase scrutiny and put legal requirements and penalties on protecting sensitive information, documenting responsibilities and processes, and require visibility into risks. In my webinar, we focus on PCI and application security. The application layer has the highest risk, but isn’t getting the attention it needs. PCI requires vulnerability assessments, which basically consist of the identification of vulnerabilities in all installed software (including in-house or custom code), an independent risk rating of vulnerabilities, and monitoring for new vulnerabilities – then promptly applying patches as available. Learn why the quarterly requirement of PCI standards are not enough for the number of vulnerabilities disclosed each year, and what’s missing in the vulnerability assessment tools.
Here are the slides from my webinar. If you would like more information, the webinar is available on demand. Watch the recording on BrightTALK, and please share your questions.
The post What’s Missing in PCI and Vulnerability Assessments? appeared first on Open Source Delivers.