- Chinese man gets 30 months for fake Cisco sales
- 9-year-old plots his fifth Microsoft certification
- Patent office to review VoIP patent
- Blackberry spyware source code released
- Cisco to unleash data center extensions
SAN FRANCISCO - Finding cost-effective ways to comply with new regulatory requirements and safeguarding data in e-commerce are among today's most vexing issues for security managers, according to those attending two confabs last week.
Helping their companies comply with federal laws such as Sarbanes-Oxley and California's data privacy law is becoming a big focus, said security managers at the annual NetSec Conference. Electric utilities say they face a panoply of new requirements to protect supervisory control and data acquisition (SCADA) networks used to monitor and control gas and power relays. Some attendees said the new industry rules, called the North America Electric Reliability Council (NERC) Cyber Security Standard 1200, are going to be expensive and difficult to implement because SCADA systems, while now IP-based, weren't designed with top-rate security in mind.
"Anti-virus software doesn't work on these SCADA systems," said Robert Childs, information security analyst at the Public Service Company of New Mexico, who spoke at NetSec about the challenges in working with SCADA vendors to get them to comply with the new rules. "Many of these systems are based on old Intel 8088 processors, and security options are limited to us."
NERC Cyber Security Standard 1200, which takes effect next January, will require electric utilities to define and document "critical cyber assets" on their SCADA networks, monitor access and protect information, and document recovery plans, testing, training and systems management. "You have to assign a member of senior management to be accountable," Childs said.
Compliance by his employer will entail adding substantial numbers of firewalls and intrusion-detection systems - and Childs said it's unclear whether commercial IDS products will work on the network, given the different traffic patterns found on SCADA networks.
Outsourcing call centers, data centers and software development abroad is another area security managers said they are increasingly paying attention to. They warned of regulatory concerns and security pitfalls.
Philip Alexander, security services manager at Wells Fargo Bank in San Francisco, said the bank has outsourced to India and has learned that regulations such as Sarbanes-Oxley and the California data privacy law still apply to data handled abroad.
"Just because the data is outside your network with a third party in another country, you still own it," Alexander said during a presentation at NetSec. "And your network is only as secure as their network."
This means at a minimum having foreign workers sign the same kind of appropriate data-use documents as signed by American workers, specifying what constitutes data misuse. But he acknowledged that it's much harder to monitor what happens abroad. Foreign legal structures also see things differently - for instance, it's virtually impossible to do a background check on a worker in India. "Birth dates are frequently not recorded," he noted.
The Leader in Network Knowledge
Comment