IT Policy Compliance: 2007 Year in Review
Monday, April 21st, 2008
Looking back, those who specialize in the history of corporate and cultural debacles may one day hail 2007 as the year when the dusty topic of document retention became a matter of corporate life and death. Thanks to the pervasiveness of networked computers, corporate data proved again and again that it could not only leak into the wild, but, once there, take on a life of its own-and do enormous harm to its parent.
PCI DSS Follies
The poster child of this dangerous new world would have to be The TJX Companies Inc., whose announced data breach in January did indeed seem to take on a life of its own. Originally pegged at 45.6 million card numbers, by the end of the year the company was admitting that the breach was more like 96 million numbers, and the event was costing the $17 billion retail chain an estimated $216 million.
TJX announced few details, but various court filings and a report by the Canadian privacy commissioner indicated that hackers penetrated the obsolete WEP encryption gear of two Marshalls stores, got into the retailer’s corporate network, and siphoned 80 gigabytes of cardholder data over a nearly two-year period. TJX finished upgrading to the more reliable WPA encryption standard in January 2007-about when the intrusion was detected.
Court filings accused the company of violating nine of the 12 controls mandated by the Payment Card Industry Data Security Standard (PCI DSS), including storing too much data. Perhaps coincidentally, the PCI Security Standards Council thereafter announced its new Payment Application Data Security Standard (PA-DSS), intended to help software vendors write applications that avoid storing data prohibited by the PCI DSS.
More Data Breaches
TJX, meanwhile, was hardly alone-one survey indicated that 85 percent of US corporations had suffered a data breach of some kind. Nor were things different overseas, judging from Her Majesty’s Revenue & Customs (the UK tax authority) which triggered a scandal when it lost two CDs containing sensitive information on 25 million citizens, including nearly every child in the realm.
Monster.com got hit twice during the year: hackers siphoned off data to use in targeted phishing attacks, and later diverted users to malicious sites. Pfizer announced breaches in June (file sharing), July (lost laptops), and September (unauthorized access).
Although the VA did not live up to its 2006 fiasco (when it temporarily losing a laptop with 26.5 million names) the agency had so many problems that the House Veteran Affairs Committee held eight hearings just to examine IT security at the VA.
In January the entire state of Israel was impacted when census files (which the government shared with political parties) showed up on a file-sharing network.
Cyberwars
While some data was walking away in lost laptops and file-sharing indiscretions, other data was being actively kidnapped, and cyberwar became a topic of decision-makers as well as science fiction authors. Hostile factions mounted denial of service (DoS) attacks against each other in Estonia and Russia. The White House made cyber security a part of the national defense and pledged millions for it.
Authorities in multiple countries saw file-stealing Chinese hackers lurking in every shadow. Just in December, the Department of Homeland Security blamed China for attacks on the Oak Ridge National Laboratory, and in the UK MI5 blamed China for a wide range of attacks. But there were cooler heads willing to point out that, basically, when it comes to cyber espionage, everyone is now doing it to everyone else. Why go to the expense of maintaining networks of covert operatives when you can get reliable results from a kid with a laptop?
The Dark Side
For all the problems they may or may not have caused, the cyber-spies at least answered to some chain of command, somewhere. The same could not be said of the world’s grassroots hackers, especially the ones who created the so-called Storm Worm and its highly successful botnet. By summer it had infected as many as 50 million machines (some put it closer to 15 million) and experts were nervously noting that it amounted to the world’s biggest supercomputer, capable of taking down the entire Internet with DoS attacks. Mostly, though, it sent out pump-and-dump spam.
Then came the Storm Worm’s 9-11, as Microsoft added the Storm Worm to the Microsoft Malicious Software Removal tool on September 11. Infections dropped 20 percent overnight. By October the botnet had shrunk to 160,000 machines.
As for spam, pundits began to talk about Spam 2.0, which has no visible link to the source of its funding. Basically, fraud artists send spam touting some penny-stock into which they have bought a position. The price of the stock goes up slightly, and the spammer sells.
But there was also trouble on the Dark Side, as indicated by the sudden disappearance of the so-called Russian Business Network. This hacker-friendly consortium suddenly went dark in November, re-appeared in China two days later, and went dark again. Sadly, no one seemed to believe that it was gone for good.
Regulatory Affairs
Amidst all the excitement, government regulations continued to evolve. Surviving an attempt to have it declared unconstitutional, Sarbanes-Oxley continued to be the law of the land, but the Public Company Accounting Oversight Board issued Auditing Standard No. 5 (AS5) to make Section 404 audits more risk-based, ditching the "account for every dime" approach that previously held sway. The board also issued special guidelines for auditing small firms. In December the head of the SEC suddenly decided that smaller corporations should be given another year’s exceptions for complying with Section 404, to give the commission time to determine if AS5 really saved money. Otherwise, smaller corporations would have needed to demonstrate compliance for fiscal years ending after December 15, 2008.
The SEC agreed to allow foreign firms to file their statements using International Financial Reporting Standards (IFRS) instead of Generally Accepted Accounting Principles (GAAP), and was reportedly toying with the idea of letting US firms to do the same.
Eight years after it was passed, the SEC and the Federal Reserve set rules to enact the final provisions of Gramm-Leach-Bliley, defining what securities transitions that a bank can conduct without registering as a broker.
Final Basel II implementation rules were also published by the Fed, for banks with assets exceeding $250 billion or foreign exposure of at least $10 billion. The new risk-based capital adequacy framework is supposed to be rolled out it stages covering at least four years.
Finally, many corporate IT departments spent 2007 learning how to talk to corporate legal departments, as a result of last year’s amendments to sections 16, 26, 33, 34, 37 and 45 of the Federal Rules of Civil Procedure, creating comprehensive rules governing the discovery of electronically stored information as part of the litigation process. Basically, a corporation must store all files that might be involved in litigation, and must be able to produce them in a useable form. In May, a federal court in Maryland issued a detailed protocol covering issues that opposing attorneys should settle before the electronic discovery process can proceed. Among other things, they must decide if metadata is to be preserved, who will pay for the preservation, retrieval and production of the files, and how to redact data that is not deemed discoverable.
Lamont Wood is a freelance writer in San Antonio who has been covering the information technology field for a quarter century.
Posted in Compliance Management | No Comments »
