Feds Want Uber Cybersecurity Compliance Standard
Tired of regulators from three or four federal agencies auditing your network security compliance every year? A congressional task force recommends a super-standard that would cut the number of annual audits back to just one.
Thu, October 06, 2011
Network World — Tired of regulators from three or four federal agencies auditing your network security compliance every year? A congressional task force recommends a super-standard that would cut the number of annual audits back to just one.
If adopted, the proposal would consolidate federal cybersecurity mandates issued by disparate agencies into a single set of standards that would satisfy all of their requirements. Businesses would require a single audit that would satisfy all requirements, according to the House Republican Cybersecurity Task Force, which released its recommendations today.
The group notes that Sarbanes-Oxley, Health Insurance Portability and Accountability Act and Graham-Leach-Bliley all impose security requirements. "A company would be encouraged to implement stronger security standards by allowing it to save money and time by avoiding multiple audits from multiple regulators," the task force says.
The task force was set up in June by House Speaker John Boehner in part to respond to the Obama administration's proposed cybersecurity legislation, delivered to Congress in May.
Regulatory compliance has become the bane of CIOs and CISOs, sapping their budgets to the point where some say they can afford to do little else but meet the regulations to the satisfaction of auditors.
At this week's SINET Innovation Summit in Boston, on innovation in cybersecurity, one speaker, Sallie Mae CSO Jerry Archer, said his agency spent 40% of its budget on complying with regulations. "What is needed is automating compliance to reduce the bite it takes from the budget," he says.
Another speaker at the summit congratulated him on such a low percentage. "For some it's 100%," says Josh Corman, director of security intelligence at Akamai. The trouble with regulations is that they drive security architectures and prevent data loss that may have little real impact, while ignoring thefts that could be devastating.
For instance, loss of credit card numbers -- protection of which falls under the private payment card industry standards -- is painful to the card holders, but the cards can be replaced. More focus should be put on data breaches that result in the loss of critical technologies that could wipe out businesses or imperil national security, Corman says.
The congressional task force also says that the best way for government to get the big picture of cyberattacks is to have someone else do the investigation.
The task force's recommendations include setting up an organization separate from government that gathers data on cyberattacks for government as well as private groups to tap into when they need a picture of ongoing cyberactivity threatening critical infrastructure.