by Monday morning, November 7th, 2006, George Toft (CISSP) presented on the subject of Compliance For System Administrators at the Phoenix SysAdmins Days event. George’s presentation expressed the need for sysadmins to have an understanding of the requirements, areas of influence, and jurisdiction that make up various regulations and standards in place today to protect company and customer data.
Maintaining a secure data center can mean protecting the company or organization from legal and civil penalties, in addition to protecting from loss of personal information on customers, clients, and employees, and of course the loss of direct and indirect revenue. George used real life examples to show how loss of data has had its affect on companies in the Phoenix Metropolitan area, using both negative and positive examples of cases.
He referred to reports that show that Cybercrime is big business, some placing it larger than drug trafficking. Not surprisingly, government agencies, Congress, and a few professional organizations have not overlooked the potential pitfalls of the problem and have strived to encourage and to enforce a more secure infrastructure in the data center, albeit at times with reluctance. HIPPA, GLBA, PCI DSS, SOX, FACTA, FERPA, and FISMA were discussed with regard to the industries which they cover. George also covered recent Arizona law ARS 44-7501, how it compares to federal laws such as GLBA and HIPPA as well as to other requirements for reporting incidents by state law.
George did a great job expressing the need for sysadmins to be properly trained within an organization as to policy and procedure (and of course the need for policy and procedure) and be prepared for enact ion with prior testing of recovery plans before loss of information, in the event of a crippling loss of data (requirements of HIPAA for example not only cover protection of medical records privacy but also the availability of data in the event of disaster). The private sector is no less strict on their respective industries in man cases. George talked about this while discussing the credit card processing industry’s PCI DSS (joint standard by VISA, Mastercard, AMEX, and Discover).
Overall, the system is far from perfect (of the somewhere between 10,000 and 20,000 reported HIPAA violations for example since the act’s birth, 3 have been or are in the process of prosecution). Never-the-less companies must be aware of which requirements, standards, and guidelines affect their activities, plan for and implement necessary measures, and test measures for mitigation, transfer, or acceptance (with accompanying contingency plans in such cases) of the risks involved. Even if a company has experienced people to assess risk, it is recommended to have at least a 3rd party review of assessments in order to verify results. While assessment and testing can be very beneficial to overall security. George also pointed out that it can also be very useful to company marketing, which is another potential area for finding needed resources ($$) for assessment, testing, and implementing needed mitigation, transfer, or acceptance of risk.
Links:
http://lopsa.org/SysAdminDays
https://blogs.lopsa.org/wp-content/uploads/2015/11/LOPSA – Rosetta Stone.pdf
Other links