Breaches within the Sony’s and Epsilon’s networks in recent months has shone a light on a very real concern in the Age of Stolen Information. The government believes that more legislation and regulation will solve the security problems that plague our interconnected networks and systems.
One only has to take a quick glance the latest regulations from the Food and Drug Administration (FDA) on Medical Device Data Systems (MDDS) or the new Cyberwarfare Doctrine from the Pentagon to see the trend toward greater regulation.
But rules dictated by government fiat always lags far behind technological advances and creates a “security by compliance” culture. So what is the solution?
In my opinion, additional Federal legislation on the subject of information security breaches is unnecessary. Currently there are multiple industry regulatory regimes that cover information security best practices. At a high level here are a few:
- National Institute of Standards and Technology (NIST) Computer Security Division (800 Series) which applies across all industries.
- Payment Card Industry Data Security Standards (PCI DSS) and Sarbanes-Oxley (Section 404) for Financial
- Health Information Portability and Accountability (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) for Healthcare
- North American Electric Reliability Corporation (NERC) for Utilities