The Evolution of a Standard :
   How Compliance Regulations Get Made
   (Birth of a New Industry)




    GLOBAL CAPABILIT...
Background on Regulation & Deregulation
     • Airline:
       – Civil Aeronautics Board (1937)
       – Airline Deregulat...
Why Regulation?



     • Trying to get a
      handle on large
      problems that
      affect many
      individuals
  ...
Pattern of Data Loss
     • Large Data Breaches (in millions)
       – 3.9    :: Financial institution in 2005
       – 4....
History of Regulatory Time




 5
  http://www.informationshield.com/papers/A%20History%20of%20Regulatory%20Time.pdf
Monda...
Vaccinations & Regulatory Compliance
     • The problem is that although most all agree that vaccination is positive for
 ...
Vaccinations & Regulatory Compliance
     • Economics of Immunization and Compliance
       – A poorer population will ben...
Inflection Points and Traffic Jams
     • Inflection Points (“Tipping Point”)
       – “An inflection point occurs where t...
9


Monday, July 5, 2010
Traffic Patterns and Modeling
      • Kurt Vonnegut's Cat's Cradle “Ice Nine”
        – Polymorph of water that freezes at...
Traffic Jams and Industry Regulation




                                          Critical event
                       C...
Traffic Jams and Industry Regulation




                       http://www.myhomezone.co.uk/project/Report.htm
 12


Monda...
Entering and Exiting a Traffic Jam
      1) Traffic density
           rises over time
      2)   Critical event
         ...
What’s the Solution?
      • “Building more roads to ease traffic is like trying to cure obesity by
       loosening the b...
What’s the Solution?
      • Examine Use Cases
        – Medical record data vs. Payment card data
        – Data retentio...
Measuring the Problem
      • “If all economists were laid end to end, they would not reach a conclusion.”
        – Georg...
3 Habits of Highly Effective Regulation
      • Education!
        – Drives adoption and adherence


      • Flexibility o...
Questions?




 18


Monday, July 5, 2010
Upcoming SlideShare
Loading in...5
×

How compliance regulations get made

256

Published on

Published in: Technology, Business
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
256
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

How compliance regulations get made

  1. 1. The Evolution of a Standard : How Compliance Regulations Get Made (Birth of a New Industry) GLOBAL CAPABILITY. PERSONAL ACCOUNTABILITY. Michael Dahn Global PCI QA Manager © 2008 Verizon. All Rights Reserved. PTE13156 09/08 Monday, July 5, 2010
  2. 2. Background on Regulation & Deregulation • Airline: – Civil Aeronautics Board (1937) – Airline Deregulation Act (1978) • Railway: – Interstate Commerce Commission (1887) – Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980) • Trucking: – Motor Carrier Act (1935) – Motor Carrier Regulatory Reform and Modernization Act (1980) • Energy: – OPEC price hikes (1973) – Emergency Natural Gas Act (1977) • Finance: – Glass-Steagall Act (1933) – Gramm-Leach-Bliley Act (1999) 2 http://en.wikipedia.org/wiki/Deregulation Monday, July 5, 2010
  3. 3. Why Regulation? • Trying to get a handle on large problems that affect many individuals – Monopoly – Poor conditions – Unbound risk – Consumer protection Image from Hugh MacLeoud of Gaping Void 3 Monday, July 5, 2010
  4. 4. Pattern of Data Loss • Large Data Breaches (in millions) – 3.9 :: Financial institution in 2005 – 4.2 :: Supermarket chain in 2008 –5 :: Online bill pay in 2007 – 6.3 :: Online trading company in 2007 – 8.5 :: Banking service provider in 2007 – 12.5 :: Bank in 2008 – 17.7 :: Online adult entertainment in 2006 – 28.6 :: Government agency in 2006 – 40 :: Payment service provider in 2005 – 45.7 :: Retail store in 2007 – 76 :: Government agency in 2009 – 130 :: Payment processor in 2009 • Evolution of Methods – Flat files, network sniffing, serial port sniffing, custom malware – EU: retail moved to e-commerce 4 Monday, July 5, 2010
  5. 5. History of Regulatory Time 5 http://www.informationshield.com/papers/A%20History%20of%20Regulatory%20Time.pdf Monday, July 5, 2010
  6. 6. Vaccinations & Regulatory Compliance • The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual • Individuals say: – My environment is already secure – I know how to manage risk better than the regulatory bodies – My environment is special and unique and does not fit into your Procrustean boxes • Are we as secure as we think we are? – Do we rely on third parties? – Who do we share data with? – Who do we give access to our data and systems? 6 Monday, July 5, 2010
  7. 7. Vaccinations & Regulatory Compliance • Economics of Immunization and Compliance – A poorer population will benefit more strongly from an immunization program than one that maintains a high level of sanitation, health care, and treatment programs – A more vulnerable population (e.g. retail, restaurants, higher education, e-commerce, etc.) will benefit more from regulatory compliance than one that is more highly secure • The cause of action to vaccinate a population is to immunize them from each other – Card data stolen from one location can affect fraud at another location resulting in mutually assured negative impact • Tipping point of vaccination – “An aggressive vaccination program that first targets children and ultimately reaches 70% of the US population would mitigate pandemic influenza H1N1” »Vaccine and Infectious Disease Institute (VIDI) at Fred Hutchinson Cancer Research Center 7 Monday, July 5, 2010
  8. 8. Inflection Points and Traffic Jams • Inflection Points (“Tipping Point”) – “An inflection point occurs where the old strategic picture dissolves and gives way to the new” – Andy Grove in Only the Paranoid Survive • Where are we on the “Sine Wave of Pain”? Image from UnderstandingCalculus.com 8 Monday, July 5, 2010
  9. 9. 9 Monday, July 5, 2010
  10. 10. Traffic Patterns and Modeling • Kurt Vonnegut's Cat's Cradle “Ice Nine” – Polymorph of water that freezes at 45.8 °C (114.4 °F) instead of 0 °C (32 °F) – One shart of Ice-Nine is the catalyst • “Hysteresis” (physics) – “A state of traffic depends not only on its density but on its history – on whether it was previously denser or less dense. As the traffic rate rises and then falls, the flow rate follows a loop.” »Critical Mass by Philip Ball • Nagel-Schreckenberg (NaSch) model 10 Monday, July 5, 2010
  11. 11. Traffic Jams and Industry Regulation Critical event Critical density http://www.myhomezone.co.uk/project/Report.htm 11 Monday, July 5, 2010
  12. 12. Traffic Jams and Industry Regulation http://www.myhomezone.co.uk/project/Report.htm 12 Monday, July 5, 2010
  13. 13. Entering and Exiting a Traffic Jam 1) Traffic density rises over time 2) Critical event occurs 3) Critical traffic density maintained 4) “Regulation” to ease traffic 5) Traffic density eases over time 6) “Deregulation” when no longer necessary http://www.myhomezone.co.uk/project/Report.htm 13 Monday, July 5, 2010
  14. 14. What’s the Solution? • “Building more roads to ease traffic is like trying to cure obesity by loosening the belt” – Richard Moe, Head of the US National Trust for Historic Preservation • Simply applying “more” security does not necessarily mean you achieve “better” security – Can you put fewer cars on the road rather than building more roads? • Help prevent data sprawl – Security is required where data is maintained »Data, data, anywhere? »Data, data, everywhere? – Reduce scope through grouping of systems – The more complex a system the harder (and more costly) it is to maintain 14 Monday, July 5, 2010
  15. 15. What’s the Solution? • Examine Use Cases – Medical record data vs. Payment card data – Data retention sometimes required, but what do you retain? »Dept collection agencies »Reoccurring payments »Data mining and analysis • Cost to secure data vs. Business need for data – Cost to securing data can be proportional to the volume of it • Brute force is effective but costly, while the elegant solution is simple and secure – “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” – Tokenization – Point-to-Point (End-to-End) Encryption 15 Monday, July 5, 2010
  16. 16. Measuring the Problem • “If all economists were laid end to end, they would not reach a conclusion.” – George Bernard Shaw • Solve tomorrows problems with today’s technology – Problems are not hard if we know which ones to solve • Plugging one hole doesn’t save the levee – Reducing card present fraud drives attackers online – Reducing fraud in one country drives them to others – Only a holistic solution will work on such interconnected systems 16 Monday, July 5, 2010
  17. 17. 3 Habits of Highly Effective Regulation • Education! – Drives adoption and adherence • Flexibility of controls – 100 % compliance is not the goal when system failures occur in groups – PCI DSS “Compensating controls” – EU Data Protection Directive “Comply or explain” • More data for Risk Modeling – Can we ever manage risk on a moving target? – Frequentist vs. Bayesian statistics 17 Monday, July 5, 2010
  18. 18. Questions? 18 Monday, July 5, 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×