Tuesday, June 05, 2007

PCI Might Become Law in CA As Well?

Wow, is this (and this) a trend or what? CA is also looking at "PCI"-like law.

"The legislation would also require merchants to use so-called strong encryption routines and access controls while storing or transmitting other types of data, such as card numbers and the names of account holders."

Well, hopefully they mandate logging and log management as well :-)

So, all this "security as a law" makes some people (MJR?) uneasy. Why? Here are the reasons I've heard:
  • People will fall to the lure of "checkbox security" and only adopt the bare minimum
  • Law will be abused (see DMCA)
  • Legal Depts will determine what security measure are "necessary"
However, I don't think that this stuff is necessary all that bad and the above points are debatable at best. I see the world becoming more secure overall as a result of such regulation (in any case, it seems more compelling than fake ROI studies as a driver for security adoption ...)

UPDATE: this blurb shows some of the reasons folks hate "legalized security." It even equates future security with "lawyer-driven regulatory compliance-centric checkbox." Further in the piece it covers some of the reasons why it is not so bad (which I happen to agree with). This might be premature ("Information security as a whole moves from a poorly defined, immeasurable cost center to a clearly specified, predictable compliance function."), but it seems like an overall progress.


Anonymous said...

I think that states adopting 'PCI DSS-like' laws is overall a good thing.

I do think that there is always a risk of "checkbox security". I think that it is quite possible that an organization will focus on compliance rather than security, focusing on the letter, rather than the spirit, of the mandate.

However, for some organizations even "checkbox security" would be a step up from what they have. Even if all of the businesses in a given state (MN, TX, CA, etc.) just "go through the motions", the net result will probably be more secure. The pitfall is in believing that they are more secure than they truly are.

Anton Chuvakin said...

Totally! That is exactly my opinion:

a) "checkbox security" is harmful since it creates false expectations

b) "checkbox security" is useful for those who would otherwise have NO security ("secured by luck" logo :-))

Dr Anton Chuvakin