• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How compliance regulations get made
 

How compliance regulations get made

on

  • 309 views

 

Statistics

Views

Total Views
309
Views on SlideShare
309
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    How compliance regulations get made How compliance regulations get made Presentation Transcript

    • The Evolution of a Standard : How Compliance Regulations Get Made (Birth of a New Industry) GLOBAL CAPABILITY. PERSONAL ACCOUNTABILITY. Michael Dahn Global PCI QA Manager © 2008 Verizon. All Rights Reserved. PTE13156 09/08 Monday, July 5, 2010
    • Background on Regulation & Deregulation • Airline: – Civil Aeronautics Board (1937) – Airline Deregulation Act (1978) • Railway: – Interstate Commerce Commission (1887) – Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980) • Trucking: – Motor Carrier Act (1935) – Motor Carrier Regulatory Reform and Modernization Act (1980) • Energy: – OPEC price hikes (1973) – Emergency Natural Gas Act (1977) • Finance: – Glass-Steagall Act (1933) – Gramm-Leach-Bliley Act (1999) 2 http://en.wikipedia.org/wiki/Deregulation Monday, July 5, 2010
    • Why Regulation? • Trying to get a handle on large problems that affect many individuals – Monopoly – Poor conditions – Unbound risk – Consumer protection Image from Hugh MacLeoud of Gaping Void 3 Monday, July 5, 2010
    • Pattern of Data Loss • Large Data Breaches (in millions) – 3.9 :: Financial institution in 2005 – 4.2 :: Supermarket chain in 2008 –5 :: Online bill pay in 2007 – 6.3 :: Online trading company in 2007 – 8.5 :: Banking service provider in 2007 – 12.5 :: Bank in 2008 – 17.7 :: Online adult entertainment in 2006 – 28.6 :: Government agency in 2006 – 40 :: Payment service provider in 2005 – 45.7 :: Retail store in 2007 – 76 :: Government agency in 2009 – 130 :: Payment processor in 2009 • Evolution of Methods – Flat files, network sniffing, serial port sniffing, custom malware – EU: retail moved to e-commerce 4 Monday, July 5, 2010
    • History of Regulatory Time 5 http://www.informationshield.com/papers/A%20History%20of%20Regulatory%20Time.pdf Monday, July 5, 2010
    • Vaccinations & Regulatory Compliance • The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual • Individuals say: – My environment is already secure – I know how to manage risk better than the regulatory bodies – My environment is special and unique and does not fit into your Procrustean boxes • Are we as secure as we think we are? – Do we rely on third parties? – Who do we share data with? – Who do we give access to our data and systems? 6 Monday, July 5, 2010
    • Vaccinations & Regulatory Compliance • Economics of Immunization and Compliance – A poorer population will benefit more strongly from an immunization program than one that maintains a high level of sanitation, health care, and treatment programs – A more vulnerable population (e.g. retail, restaurants, higher education, e-commerce, etc.) will benefit more from regulatory compliance than one that is more highly secure • The cause of action to vaccinate a population is to immunize them from each other – Card data stolen from one location can affect fraud at another location resulting in mutually assured negative impact • Tipping point of vaccination – “An aggressive vaccination program that first targets children and ultimately reaches 70% of the US population would mitigate pandemic influenza H1N1” »Vaccine and Infectious Disease Institute (VIDI) at Fred Hutchinson Cancer Research Center 7 Monday, July 5, 2010
    • Inflection Points and Traffic Jams • Inflection Points (“Tipping Point”) – “An inflection point occurs where the old strategic picture dissolves and gives way to the new” – Andy Grove in Only the Paranoid Survive • Where are we on the “Sine Wave of Pain”? Image from UnderstandingCalculus.com 8 Monday, July 5, 2010
    • 9 Monday, July 5, 2010
    • Traffic Patterns and Modeling • Kurt Vonnegut's Cat's Cradle “Ice Nine” – Polymorph of water that freezes at 45.8 °C (114.4 °F) instead of 0 °C (32 °F) – One shart of Ice-Nine is the catalyst • “Hysteresis” (physics) – “A state of traffic depends not only on its density but on its history – on whether it was previously denser or less dense. As the traffic rate rises and then falls, the flow rate follows a loop.” »Critical Mass by Philip Ball • Nagel-Schreckenberg (NaSch) model 10 Monday, July 5, 2010
    • Traffic Jams and Industry Regulation Critical event Critical density http://www.myhomezone.co.uk/project/Report.htm 11 Monday, July 5, 2010
    • Traffic Jams and Industry Regulation http://www.myhomezone.co.uk/project/Report.htm 12 Monday, July 5, 2010
    • Entering and Exiting a Traffic Jam 1) Traffic density rises over time 2) Critical event occurs 3) Critical traffic density maintained 4) “Regulation” to ease traffic 5) Traffic density eases over time 6) “Deregulation” when no longer necessary http://www.myhomezone.co.uk/project/Report.htm 13 Monday, July 5, 2010
    • What’s the Solution? • “Building more roads to ease traffic is like trying to cure obesity by loosening the belt” – Richard Moe, Head of the US National Trust for Historic Preservation • Simply applying “more” security does not necessarily mean you achieve “better” security – Can you put fewer cars on the road rather than building more roads? • Help prevent data sprawl – Security is required where data is maintained »Data, data, anywhere? »Data, data, everywhere? – Reduce scope through grouping of systems – The more complex a system the harder (and more costly) it is to maintain 14 Monday, July 5, 2010
    • What’s the Solution? • Examine Use Cases – Medical record data vs. Payment card data – Data retention sometimes required, but what do you retain? »Dept collection agencies »Reoccurring payments »Data mining and analysis • Cost to secure data vs. Business need for data – Cost to securing data can be proportional to the volume of it • Brute force is effective but costly, while the elegant solution is simple and secure – “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” – Tokenization – Point-to-Point (End-to-End) Encryption 15 Monday, July 5, 2010
    • Measuring the Problem • “If all economists were laid end to end, they would not reach a conclusion.” – George Bernard Shaw • Solve tomorrows problems with today’s technology – Problems are not hard if we know which ones to solve • Plugging one hole doesn’t save the levee – Reducing card present fraud drives attackers online – Reducing fraud in one country drives them to others – Only a holistic solution will work on such interconnected systems 16 Monday, July 5, 2010
    • 3 Habits of Highly Effective Regulation • Education! – Drives adoption and adherence • Flexibility of controls – 100 % compliance is not the goal when system failures occur in groups – PCI DSS “Compensating controls” – EU Data Protection Directive “Comply or explain” • More data for Risk Modeling – Can we ever manage risk on a moving target? – Frequentist vs. Bayesian statistics 17 Monday, July 5, 2010
    • Questions? 18 Monday, July 5, 2010