[LOPSA-US-AZ] PHX SysAdmin Days - Summary of "Compliance For System Administrators"

[Ben Trussell]

Monday morning George Toft (CISSP) presented on the subject of Compliance
For System Administrators.  George's presentation expressed the need for
sysadmins to have an understanding of the requirements and areas of
influence, and jurisdiction that make up various regulations and standards
in place today to protect company and customer data.

Maintaining a secure data center can mean protecting a company from legal
and civil penalties, in addition to protection from loss of direct revenue.
George used real life examples to show how loss of data has affected
companies in the Valley, stating both negative and positive examples of
cases.

[To paraphrase:] Reasons behind various threats can range from industrial
espionage, to fraud, even to revenge by disgruntled current or former
staff.  Loss of data will inevitably result in lost time and revenue, and
may lead to other damages such as loss of a competitive advantage and a
tarnished reputation.

He referred to reports that show that Cybercrime is big business, some
placing it larger than drug trafficking.   Not suprisingly, government
agencies, Congress, and some professional entities have not overlooked the
potential pitfalls of the problem and have strived to encourage and enforce
a more secure infrastructure in the data center, albeit at times with
reluctance.   HIPPA, GLBA, PCI DSS, SOX, FACTA, FERPA, and FISMA were
discussed with regard to the industries which they cover.  George also
covered recent Arizona law ARS 44-7501 and how is compares to federal laws
such as GLBA and HIPPA  as well as to other state incident reporting
requirements.

George did a great job expressing the need for sysadmins to be properly
trained within an organization as to policy and procedure (and of course the
need for policy and procedure) and be prepared for enact ion with prior
testing of recovery plans before loss of information, in the event of a
crippling loss of data (requirements of HIPAA for example not only cover
protection of medical records privacy but also the availability of data in
the event of disaster).  The private sector is no less strict on their
respective industries in some cases, as George talked about while discussing
the credit card processing industry's PCI DSS (joint standard by VISA,
Mastercard, AMEX, and Discover).

Overall the system is far from perfect (of somewhere between 10,000 and
20,000 reported HIPAA violations for example since the act's birth, only
about 3 have been or are in the process of prosecution).  Never-the-less
companies must be aware of which requirements, standards, and guidelines
affect their activities, plan for and implement necessary measures, and test
measures for mitigation, transfer, or acceptance (with accompanying
contingency plans in such cases) of the risks involved.  Even if an company
has experienced people to asses risk, it is recommended to have at least a
3rd party review of assessments in order to verify results.  While
assessment and testing can be very beneficial to overall security.  George
also pointed out that it can also be very useful to company marketing, which
is another potential area for finding needed resources ($$) for assessment,
testing, and implementing needed mitigation, transfer, or acceptance of
risk.

Links:
http://lopsa.org/SysAdminDays-Phoenix#Compliance
http://lopsa.org/files/LOPSA%20-%20Rosetta%20Stone.pdf

Other links
http://georgetoft.com/
http://georgetoft.com/presentations/

-- 
-------
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lopsa.org/pipermail/lopsa-us-az/attachments/20061107/453de120/attachment.htm