In this podcast, Tim White, Director of Product Management, Policy Compliance at Qualys, talks about regulatory compliance trends that across a variety of different regions in the world, as well as strategies for dealing with them.
Here’s a transcript of the podcast for your convenience.
Hello, I’m Tim White, Director or Product Management at Qualys. Today I’m going to talk about some regulatory compliance trends that we’re seeing across a variety of different regions in the world, and talk a little bit about some strategies for dealing with these and the implications.
Compliance, you know, really started out as a thing in the US quite a while back. We had Sarbanes–Oxley, a variety of state privacy regulations that followed. We saw the growth of regulation of critical industry verticals, like the energy sector and healthcare sector with the implementation of NERC – the National Energy Reliability Council Regulations as well as HIPAA. These tended to be very general regulations at first. In additional aversions they’ve become a little more prescriptive. HIPAA is still very vague, but they’ve added some regulatory body initiatives around high trust to provide better detailed guidance from a technology perspective. We’ve seen the emergence from a variety of different standards to help organizations implement the high-level regulatory requirements, such as NIST and ISO to name a few, are fairly well adopted across the world. NIST in the US and ISO more so for regulations here in Europe. However, we see these emerging and being used across the globe as different organizations have different regulatory compliance needs and use different auditors.
We also have quite a few industry-led initiatives, like PCI. These have a lot more flexibility because of the fact that they don’t have to be adopted by governing bodies. It makes it very easy for them to make revisions and add additional provisions. And with PCI specifically, we’ve seen a lot of changes in the mandates as the financial industry realizes that more and more controls are required in order to protect personally identifying information for card holders.
In the US recently most of the growth and shake up has been in the federal space. We’ve seen thinks like US FDCC which is the desktop requirements for the US government, get replaced with USGSB in 2010. And then more recently, the president’s executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was implemented in 2017, it just came out. Requiring NIST cybersecurity framework and the assessment of assets using DISA STIG standards.
In the executive order they’ve basically required a more significant stringent protection framework to be put in place using NIST’s cybersecurity framework, while continuing to use the DISA STIG for desktop and server-level hardening because of the fact that they’re very granular control requirements for operating systems. But measuring compliance against these regulations is a significant challenge for these organizations because collecting the technical control data from complex IT environments is a difficult task in itself. So, we see a lot of organizations kind of scrambling to figure out how they’re going to implement the new requirements while still pushing forward with drag and remediation of the issues that they’ve uncovered at the technical level.
In the EU we add Data Protection Act. GDPR expands on the scope of this quite significantly, making the definition of subject data much more broad as well as adding additional requirements and crossing the entire EU. GDPR requires organizations globally to properly track and protect their EU customer’s personal data or face penalties and fines.
On multiple fronts, they have to track and classify IT assets that contain the data and adopt overall data governments and security programs in order to comply with GDPR. Organizations that need to limit, to identify, classify and limit access to protected personal data and there’s a whole host of very specific requirements around the end and lifecycles of how, when and why and where data can be stored and transmitted.
UK has started the Information Commissioner’s Office or has the Information Commissioner’s Office which provides key guidance on implementing GDPR and they make a lot of recommendations on controls and strategies for protecting data privacy. The regulation itself is extremely general, so it’s going to take a lot of interpretation throughout the globe to decide exactly what needs to be put in place from an information security perspective.
France and Germany
Of course, all of the countries and the regions, many of them have their own existing information security regulations. France has ANSSI – Implemented Essential Measures for Healthy Networks. And Germany has BSI-Grundschutz, which is a highly center-ground ISO 27001 and 27002 implementation. And we continue to see additional countries within the EU are going to be implementing their own localized regulations to enforce GDPR’s more general requirements. And of course, there’s additional information, security provisions that are maybe needed. The GDPR itself has specific countries, specific provisions that provide these individual countries a lot of leeway as well, and we expect that that will result in the emergence of additional government entities implementing specific regulations within their boundaries.
The complexity of the cross-border requirements will likely going to result in overlapping and possibly conflicting controls or requirements. And as such it will be a significant challenge for many businesses that do business across most countries or many countries in the EU. As we know, there’s very few companies that are constrained within the boundaries of a single country these days. And so complying with all of these individual regulations, as well as the broader regulation is going to continue to be a challenge.
In the Middle East we’ve seen a lot less stringent requirements. NESA in the UAE introduces Information Assurance Standard that covers a variety of different areas of requirements for strategy and planning as risk management, security awareness and trade. It’s really a high-level general compliance. A regulation requiring people to basically implement a good security program, and then of course we have ADSIC – the Abu Dhabi Systems and Information Centre – Information Security Standard, they just recently introduced version 2.0 of that standard that’s intended to guide entities and business partners in areas requiring focus for applications of information security controls. The adherence to the controls standards is being rolled out across the Abu Dhabi government entities, which is the majority of the center for the requirements. However, there are general requirements for businesses and partners within the region to comply with this as well, which mostly affects a lot of the oil industry and energy sectors and things of that nature.
In India, there’s been a big trend in adoption of technology as part of the digital transformation of the country. We’ve seen a significant growth in the adoption of automated payment systems. In my last couple of trips to India it’s been very visible; over a one-year period, the change and the way that they accept payment. Their reform of their monetary system was a key driver for this and India’s central banking and monetary authority – the Reserve Bank of India, in response to this has implemented a new set of requirements that point out the, primarily because of the number frequency and impact of cybersecurity incidents on Indian banks and the amount of customers that exist in that country due to the population, they’ve seen a significant increase across the entire country. And like their global peers, they’re committed to maintaining customer trust and protecting financial assets and doing brand preservation. So, there’s a significant growth to adopt better cybersecurity requirements.
RBIs now requiring all the banks in the country to comply with these very prescriptive regulatory requirements. They define specific controls, adoption guidelines. They require the banks being immediate preparedness; they’re required to submit their risk analysis and control gaps to the board along with remediation timelines for prioritization and show positive improvements. So this regulation is actually quite impressive, the scope that they went through to push this down to their individual constituent banks.
We’re seeing this trend emerge where other industries within India are following suit. So there’s the IRDA which is the Insurance Industry’s data requirements that are being pushed out and expected to go live soon as well for the same exact reasons. We expect that at some point there’ll probably be a merging of many of these regulations into a more concise national standard, similar to what we’ve seen in Australia.
Australia actually has a fairly mature set of standards and requirements. The ISM – the Information System Manual which covers a variety of critical strategies and requirements for information systems within the country for the government as well as for businesses doing work there. And they’ve also put out a lot of variety of various directives, like the essential aid strategies for securing information systems. They have requirements around privacy and data protection. They have requirements around infrastructure protection and in a lot of areas where they don’t have requirements, they just generally require compliance with NIST and other globally-accepted standards, so it’s a fairly comprehensive approach that we’re seeing in that region.
The key drivers for regulation
Overall, information security issues, nation state activities, evolving threats are continuing to keep the focus on InfoSec at the regulatory level. We’re seeing, this is driving the creation of more and more regulations; we’re seeing a varying level of enforcement across these regulations. We think over time that that will kind of level out and we’ll see, more parallelism across the requirements in a lot of regional, especially in areas like the EU where they have a more broad governing body that’s putting out controls like GDPR.
What you can expect in the near future
We’ll see regulatory boards and governing bodies and commissions like the ISO providing more guidance on exactly what it means to be complaint with certain parts of the regulations. They’ll probably become a little bit more prescriptive in nature. It’s difficult for them to make the regulation itself more prescriptive because of the fact that the regulations are difficult to change and require a variety of international cooperation to put into place.
The governing bodies can provide significant guidance and of course, the courts will work out some specific requirements as well. We’ll probably see a lot of legislation by court order defining exactly what it means to do due diligence and what types of controls are appropriate for different situations, etc.
We continue to see the emergence of mandates in more developing countries as they broadly adopt a lot more of these new IT technologies and begin making the digital transformation because of the fact that we as a society have become so dependent of these systems, it’s really critical that companies do due diligence and implement the best practices in the first place.
Generally, a big challenge of this is that because global organizations are participating in so many different locations, there’s requirements about transferring of data over borders, it’s going to be a very significant process to implement and to prevent conflicting and overlapping requirements from becoming a challenge. You’re going to have to do a significant amount of work in analyzing all of the different regulatory requirements the organization faces. Doing so there’s some really fairly good approaches to doing this. You can use a control objective framework like NIST 800.53 or COBIT to identify a framework of control requirements, map those back to your overall policy requirements. Make sure that you have policies in place that meet all of the regulatory requirements that you’re subject to. And then the most important piece, implementing the technical and procedural controls. You need to then look at how those individual technical and procedural controls map back to your overall control objectives, so you can get a complete picture of whether or not you’re doing due diligence and enforcing the things that you set out in your written security policies.
Many of these regulations are vague so you should use best practices recommended by industry leaders like CIS, ISO, DISA STIG is another good technical standard that we’re seeing more broadly adopted in the non-government space, just because of the fact that it’s a fairly locked down standard and provides a lot of depth and bred the operating system coverage as well.
Don’t forget about procedural controls as well. You need to implement process restrictions, access to data center, backup policies – all of the basic things that organizations should be doing to protect the integrity and availability of data as well as making sure that you track and categorize data classifications going to become more and more important as we see more regulations. Cause identifying the data you’re supposed to protect is a significant challenge, so you’ll need asset management and other capabilities to track these data over time. You’ll want to make sure you implement compensating controls for areas where you have some risk exposure to reduce the overall possibility that these systems can be exploited.
In summary, just make sure that you continue to move fast and adopt the new technologies that are appropriate for securing the systems. InfoSec can sometimes be an afterthought and more regulations, especially GDPR are asking that you build these privacy protection features into your process from the beginning. Regulations are things that should be done in the first place. It’s often the fact that we don’t do due diligence that results in us having to implement regulatory requirements. Continue to build more stringent security programs and focus investment on protecting the critical data that you should be doing in the first place.
Qualys is here to help. We have a variety of out-of-the-box support for many current regulations as well. We’ll be expanding that as future regulations emerge, both in our policy compliance and assessment questionnaire products, as well by providing general information security technologies that you can use to enforce and protect your organization’s data.