If you missed part one of this series, automation, risk management, increased regulation and enforcement led the most important trends in regulatory compliance as ranked
XBRL compliance is here
As SearchCompliance.com senior news writer Linda Tucci observed in "XBRL reporting not just for SEC anymore, but business is slow to adopt," "by mid-2010, public companies with market capitalizations of more than $700 million must report financial statements to the U.S. Securities and Exchange Commission (SEC) formatted in XBRL. By 2011, virtually all public company filers will be required to use XBRL reporting, according to the SEC's final rule issued last year. For the nation's 50 largest companies, the SEC XBRL mandate kicked in last year."
You can read a summary of SEC guidance on XBRL compliance in the Interactive Data for Financial Reporting guide. The original rules for XBRL compliance are also available online, in Chapter 6 of the EDGAR Filer Manual. Compliance officers and chief financial officers would be well-advised to be familiar with both, as they will be responsible for assuring that content in SEC XBRL meets all reporting requirements.
PCI DSS compliance expands
"I expect PCI to go big," said Akamai Technologies Inc. CISO Andy Ellise. "That will include the requirement for Level 2 merchants to get an on-site audit. I expect auditors to shift from SOX as a revenue stream to PCI as a revenue stream. We'll see more auditors creating work for themselves by finding problems you need to remediate." Martin McKeay, host of the Network Security Podcast, agrees: "Despite criticism of PCI, it will continue to expand, requiring much more of level 3 and 4 merchants, including QSA involvement."
Anton Chuvakin, an independent security consultant and well-known PCI DSS compliance expert, predicted on his blog that "PCI DSS will continue its march. In fact, I bet PCI DSS frenzy will further spread down market. While some people criticize it for specific requirements or missing things here and there, I still swear that those organizations who paid NO attention to security now do it ONLY because of PCI."
Disaster recovery requires attention
"History demonstrates that the further companies get from a major disaster event, the more complacent the business continuity and disaster recovery practices become," said Dan Kennedy, CISO of Praetorian Security Group LLC. "Companies will be faced with ensuring that plans are up to date, that contact information is accurate, that systems fail over as expected, and that hot sites, dual data centers, colocation setups and the like all function as designed. Many of these mechanisms have suffered during the corporate constriction of the past two years, continue to do so, and leave firms' disaster recovery capabilities very brittle in the face of an actual disaster."
Compliance with business continuity management standards demonstrates that a company is committed to protecting its business, although the U.S. still falls short of making BCM mandatory. Preparing for disaster recovery and business continuity will be an important element of risk management in 2010. A sound regulatory compliance management policy must have its priorities in order, including document management, security standards and leadership.
Vendor security management
"On the government side, they'll start seriously looking at vendor security management as they realize the following things," said Michael Smith, a Virginia-based security officer and blogger at Guerilla CISO. "Cloud computing is becoming more pervasive. Most government IT systems are built by system integrator contractors. E-health records are becoming 'federalized' under research grants and health care reform programs. Government IT security is dependent on commercial off-the-shelf software vendors. Basically, all of our doctrine and compliance frameworks are focused on integration issues: architecture, configuration, change control, etc. That will only take us so far because it doesn't address the root cause of the problem: junk code."
That recognition is already happening, in at one least department: The Department of Homeland Security wants to see better application security throughout the development lifecycle to avoid software supply chain risk.
Carbon compliance heats up
Sustainability in a "carbon economy" is a hot topic, given that greenhouse gas emissions and a shift to an economy that regulates carbon output are well under way. If a proposed cap and trade bill passes, understanding and implementing compliance requirements for greenhouse gas emissions won't be a theoretical exercise.
Compliance officers may need to watch that carbon footprint: If regulations that mandate carbon compliance do make it through Congress, technology providers that help turn carbon footprint management into cost savings can benefit.
FTC Red Flags Rule (finally) applies
"The FTC Red Flags Rule is one of the most important compliance items for 2010," said Christophe Veltsos, president of Mankato, Minn.-based security consultants Prudent Security LLC. Under the Federal Trade Commission's (FTC) Red Flags Rules, all financial institutions and creditors with covered accounts are required to create an identity theft prevention plan. The FTC has extended the enforcement deadline for the Red Flags Rule to June 1.
The North American Reliability Corporation (NERC) is an international, independent, self-regulatory, not-for-profit organization that oversees the reliability and security of the nation's energy grid.
NERC has created Critical Infrastructure Protection Standards to improve physical security and cybersecurity, addressing all relevant vulnerabilities. NERC regulations affect all bulk power system owners, operators and users, each of which must comply with approved NERC reliability standards. Each of these entities is required to register with NERC through the appropriate regional entity.
Given expectations for so-called "smart grid" improvements in the United States in coming years, and the widely reported penetration of the energy grid by cyberspies, NERC compliance will be critical to the energy industry. And given the cybersecurity risks that exist for critical infrastructure, NERC compliance should not be an exercise in checklist management.
"I hope that there's a lean towards actually being secure instead of just 'checkbox' ready," said Rob "Mubix" Fuller, a Washington, D.C.-based penetration tester associated with Hak5.org and Room362.com. "Compliance should be a constant standard instead of a yearly or monthly assessment."
Mobile workforce risks
Emerging technologies that allow users to broadcast geographic locations are raising many issues for companies and CIOs, ahead of movement by legislatures and the FTC to rule on the legality or regulations that govern them. "Everything is moving out to the mobile platforms, outside of the bounds of your enterprise," said Chris Ensey, IBM Federal's principal security strategist. "When you talk compliance, you must think about your roaming clients, handhelds and data in the cloud. This breaks the model for current compliance guidelines. We need to broaden our scope to take into account what leaves your enterprise and how it is managed. The potential for data leakage is too great to not have comprehensive management infrastructure and DR plans in the event of a lost or stolen edge device. I think that the mobile platform is the future target of choice for our adversaries; this needs to be a focal area."
The issues around the lack of specific governance aren't minor, either. As reported by Wired, Sprint Nextel Corp. provided federal law enforcement agencies with customer location data 8 millions times over the course of year.
Social networking challenges
The proliferation of social networking represents a complex challenge for compliance officers who need to balance privacy, productivity and data protection. Compliance concerns will dog many so-called "enterprise 2.0" collaboration platforms that apply Web 2.0 software behind the firewall. CIOs need to walk a fine line when deploying enterprise 2.0 collaboration platforms: keep access open and information flowing but enable security and compliance.
"Further fallout from the Wall Street collapse of 2008 will cause increased regulatory scrutiny of events surrounding it, and will put incredible pressure on the electronic document retention practices of financial firms," said Kennedy. "These practices, now moving well outside of just retaining email -- which many firms still don't perform to the level required by regulatory requirements -- will continue to be put under pressure by advancements of instant messaging platforms … the continued integration of IM and email into social media platforms like LinkedIn, Twitter and Facebook, all generating messages that are required to be archived, and the continued proliferation of noncompany mobile devices containing email and messaging."
Compliance officers need to draft a secure social media policy and secure employee acknowledgement to set expectations for online privacy in the workplace. For others, investing in social media data archiving may be an important hedge as regulations are extended to cover social messaging. Private social messages on Facebook, for instance, have already been included in e-discovery under Canadian law.