© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
The   information   technology   world   has   changed   very   quickly   in   just   the   last   few   years.   Not   just   the   adoption   of   the cloud   as   a   preferred   data   center   and   the   changing   knowledge   requirements   of   IT   practitioners   -   information   security has    taken    on    a    whole    new    meaning.    And    because    technology    leads    policy    by    a    goodly    amount,    we're    finding ourselves   having   to   catch   up   quickly.   When   your   surveillance   cameras   are   weaponized   to   take   down   parts   of   the Internet, something’s gotta be done. Options to pull ourselves out: 1 . Legislative   leadership   to   impose   regulatory   requirements,   define   illegal   activities   and   create   a   greater   role   for local law enforcement (this will be the subject of a later blog.) 2 . Industry self-regulation, through the creation of standards and adoption of market forces. 3 . The   public-private   hybrid:   use   of   the   government   purse   to   enhance   the   uptake   of   demonstrably   secure   products (ala   FedRamp).   That's   already   happening   a   bit,   as   is   the   creation   of   the   equivalent   of   a   "UL"   listing   for   products that meet standards (which hopefully include plans for ongoing patching, upgrades and maintenance.) In   parallel,   what   is   emerging   is   being   driven   both   by   regulators   and   the   private   sector   is   a   focus   on   third   parties.   While industry   comes   up   with   their   own   standards    of   what   they'll   buy   and   what   they   won't,   the   dangers   of   suppliers   and vendors   with   network   access   or   interconnected   services   has   become   an   elephant   in   the   room   that   has   the   potential   to affect everyone. So   here   we   are.   Legislative   gridlock   (and   that's   being   generous),   technology   rapidly   outpacing   policy,   everyone   being sued,    and   needing   to   control   the   poorly   engineered,   poorly   deployed,   and   barely   maintained   Internet   of   Things   that's already   bitten   us.      Emerging   response:   push   liability   and   security   expectations   onto   third   parties,   in   part   through expanding the purview and reporting requirements of existing regulatory requirements. Regulatory agencies expanding their purview: HHS/OCR - Covered entities must now report ransomware events SEC - Leveraging large breaches to expand controls/risk reporting FTC - Deceptive trade practice fines are being used against breached companies Regulations expanded to cover vendors, service providers: PCI - service provider security now in scope HHS/OCR - HIPAA business associates now subject to HIPAA audit What   do   we   make   of   this   information?   I   think   at   this   point,   and   this   is   especially   true   for   those   of   us   in   the   information security   service   provider   business,   is   that   regardless   of   whether   your   company   is   under   regulatory   requirements   that specify   an   expectation   for   cyber   security   controls,   if   you   are   a   vendor   or   service   provider   to   those   sectors   that   are,   the microscope is being focused on you right now and your expectation should be that your controls reflect that. Secondarily,    market-driven    security    should    be    encouraged    through    procurement    processes.    Markets    have    a wonderful   ability   to   “freeze   out”   products,   services   and   vendors   that   diminish   security,   just   by   applying   a   little   more “score”   to   products   that   can   be   demonstrated   as   free   of   security   defect,   and   with   maintenance   plans   that   keep   them that   way.   In   my   view,   this   will   proceed   apace   and   has   the   potential   to   move   the   needle   far   more   effectively   than regulation.
Threat Intelligence Blog CRITICAL INFORMATICS INC.
(206) 687-9100
Regulatory Scope Creep – We’re All Third Parties Now   11/11/2016 By Michael Hamilton CISSP CEO
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100