Security Blog

Your source for information security news and views.
Tags >> regulation

The Governmental Response

Posted by: Kyle Deming

Tagged in: regulation

Any student of modern history must understand that when bad things occur, in particular when there are systemic failures, government happens.

While most IT security professionals are familiar with the Gram Leach Bliley Act's requirement that personal financial information be appropriately protected, it's impossible to understand today's economic crisis without realizing the profound impact that GLBA had in deregulating or de-governing the American financial system. Not only did GLBA open the door for the evolution of derivative markets, it allowed banks and financial institutions to create highly flexible but highly de-governed and deregulated enterprises. The traditional regulated mortgage industry was replaced by unregulated and thus de-governed for a deregulated and de-governed financial industry. It was a disastrous failure!

The primary concerns of IT security professionals should be foresight in organizing and preparing for a massive new array of regulatory oversight. Similar to the impact of the Gram Leach Bliley Act, we can expect the information security and information assurance requirements to be embedded in far more comprehensive and complex regulatory legislation.

Of particular concern should be inevitable regulatory responses.

First, we can expect regulation to go beyond broad information assurance statements and become increasingly specific. This is the result of failed generalities. For example, legislation for accelerating the implementation of electronic medical records will increasingly drive more specific safeguards of this information. We can be certain that confidentiality and privacy will be expanded to provide greater concern over information integrity and availability. Availability failures in medical records certainly can create life-threatening scenarios.

Second, the integrity of financial information will continue to be addressed through more and more specific guidance. Sarbanes-Oxley was an early attempt, rushed to legislation following the collapse of Enron. The next round of regulatory controls will be more specific and simultaneously more comprehensive. Finally, there is an emerging trend to validate, accredit or certify the competencies of security professionals. This was highlighted in a recent Wall Street Journal article by Bruce Schneier, dated March 31, 2009, Who Should Be in Charge of Cybersecurity? And specific legislation recently cited in a Washington Post article, dated April 1, 2009, Senate Legislation Would Federalize Cybersecurity, proposes legislation requiring the licensing and certification of cybersecurity professionals. The legislation (Rockefeller-Snowe Measure) co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Senator Olympia J. Snowe (R-Maine), can be found in a U.S. Senate working draft of the Bill dated March 31, 2009.

This proposed legislation specifically states:


(a) In General. - Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) Mandatory Licensing.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."

At IP3 our specific strategy will be to continue to organize and assemble the appropriate training and technical knowledge necessary to stay in front of these trends. We'll continue to focus on certification prep programs and stay abreast of the ongoing trends in certification requirements. My prior work with the Institute for Defense Analysis included the advisory team that produced the guidance which led to DoD Directive 8570 mandating a broad array of specific certifications for military security professionals. We will try to stay closely involved in similar trends and continue to provide you, our clients, the most comprehensive overview and insight into these trends possible.

Get smart, and stay smart.