Opportunity 2012: Compliance Changes Driving IT Spending
Filed under: Security
While IT compliance initiatives may not necessarily make your heart race the way news about an iPhone 5 would, they could make your CFO's heart race. That's because regulatory requirements are a big part of what's driving IT security spending and will continue to do so in 2012. IT solution providers are in a position to reap the rewards of this opportunity by helping customers prepare for changes in the coming year. Here's a look at seven regulatory compliance changes that you should have on your radar for 2012.
Online banking institutions will be held accountable to more rigorous security demands from the Federal Financial Institutions Examination Council (FFIEC) in January. That's when examiners begin assessing financial institutions according to risk assessment best practices including better fraud protection and use of layered security technology to augment the multi-factor authentication laid out by the last update to FFIEC's guidance set out in 2005.
PCI DSS 2.0
Released well over a year ago, the revised specifications for the Payment Card Industry Data Security Standards (PCI DSS) second revision offer some key tweaks to requirements, including clarifications about encryption key management, network segmentation and risk-based vulnerability assessments. Enforcement of the changes starts in January.
Federal Trade Commission
While there are no new regulations from the FTC, this agency plans more enforcement of its Fair Information Practice Principles, which govern how companies collect, use and protect information about customers online. FTC cases against Google, Disney and Facebook this year for not following the principles show that companies need to treat these rules more seriously next year.
Securities Exchange Commission
In October of this year the SEC let it be known that it wanted public companies to start informing shareholders when they experience 'material cyber attacks.' In 2012, public companies must be ready to disclose the financial implications of breaches and incidents they experience going forward.
The coming year may well be the year that HIPAA grows teeth. The Office for Civil Rights recently started a program to audit organizations. When the OCR notifies an organization that it is subject to audit, it will only have 10 days to produce the paperwork.
It may not be ratified yet, but experts believe that the ISO 27036 standard that is currently making the rounds for approval could become the defacto security standard by which third-party service providers--cloud or otherwise--are measured by prospective customers. Partners would do well to know the ins and outs of this standard before it goes live.
Starting in June 2012, financial institutions could potentially be required to adhere to new updates from Financial Crimes Enforcement Network (FinCEN) with regard to how they manage electronic reporting for Suspicious Activity Report (SAR) filing. These organizations will need to keep an eye on FinCEN updates and treat them with due care.