How compliance regulations get made

© 2008 Verizon. All Rights Reserved. PTE13156 09/08

GLOBAL CAPABILITY.PERSONAL ACCOUNTABILITY.

The Evolution of a Standard : How Compliance Regulations Get Made(Birth of a New Industry)

Michael Dahn

Global PCI QA Manager

Monday, July 5, 2010

2

Background on Regulation & Deregulation

•Airline: – Civil Aeronautics Board (1937)– Airline Deregulation Act (1978)

•Railway: – Interstate Commerce Commission (1887)– Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980)

• Trucking: – Motor Carrier Act (1935)– Motor Carrier Regulatory Reform and Modernization Act (1980)

•Energy: – OPEC price hikes (1973)– Emergency Natural Gas Act (1977)

• Finance: – Glass-Steagall Act (1933)– Gramm-Leach-Bliley Act (1999)

http://en.wikipedia.org/wiki/Deregulation


3

Why Regulation?

• Trying to get a handle on large problems that affect many individuals

– Monopoly– Poor conditions– Unbound risk– Consumer

protection

Image from Hugh MacLeoud of Gaping Void


4

Pattern of Data Loss

• Large Data Breaches (in millions)– 3.9 :: Financial institution in 2005– 4.2 :: Supermarket chain in 2008– 5 :: Online bill pay in 2007– 6.3 :: Online trading company in 2007– 8.5 :: Banking service provider in 2007– 12.5 :: Bank in 2008– 17.7 :: Online adult entertainment in 2006– 28.6 :: Government agency in 2006– 40 :: Payment service provider in 2005– 45.7 :: Retail store in 2007– 76 :: Government agency in 2009– 130 :: Payment processor in 2009

•Evolution of Methods– Flat files, network sniffing, serial port

sniffing, custom malware– EU: retail moved to e-commerce


5

History of Regulatory Time

http://www.informationshield.com/papers/A%20History%20of%20Regulatory%20Time.pdfMonday, July 5, 2010

6

Vaccinations & Regulatory Compliance

• The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual

• Individuals say:– My environment is already secure – I know how to manage risk better than the regulatory bodies – My environment is special and unique and does not fit into your Procrustean boxes

•Are we as secure as we think we are?– Do we rely on third parties?– Who do we share data with?– Who do we give access to our data and systems?


7

Vaccinations & Regulatory Compliance

•Economics of Immunization and Compliance– A poorer population will benefit more strongly from an immunization program than one

that maintains a high level of sanitation, health care, and treatment programs– A more vulnerable population (e.g. retail, restaurants, higher education, e-commerce,

etc.) will benefit more from regulatory compliance than one that is more highly secure

• The cause of action to vaccinate a population is to immunize them from each other

– Card data stolen from one location can affect fraud at another location resulting in mutually assured negative impact

• Tipping point of vaccination– “An aggressive vaccination program that first targets children and ultimately reaches

70% of the US population would mitigate pandemic influenza H1N1”»Vaccine and Infectious Disease Institute (VIDI) at Fred Hutchinson Cancer Research Center


8

Inflection Points and Traffic Jams

• Inflection Points (“Tipping Point”)– “An inflection point occurs where the old strategic picture dissolves and gives way to the

new” – Andy Grove in Only the Paranoid Survive

•Where are we on the “Sine Wave of Pain”?

Image from UnderstandingCalculus.com


9


10

Traffic Patterns and Modeling

•Kurt Vonnegut's Cat's Cradle “Ice Nine”– Polymorph of water that freezes at 45.8 °C (114.4

°F) instead of 0 °C (32 °F)– One shart of Ice-Nine is the catalyst

• “Hysteresis” (physics)– “A state of traffic depends not only on its density

but on its history – on whether it was previously denser or less dense. As the traffic rate rises and then falls, the flow rate follows a loop.”

»Critical Mass by Philip Ball

•Nagel-Schreckenberg (NaSch) model


11

Traffic Jams and Industry Regulation

http://www.myhomezone.co.uk/project/Report.htm

Crit

ical

den

sity

Crit

ical

eve

nt


12

Traffic Jams and Industry Regulation



13

Entering and Exiting a Traffic Jam

1) Traffic density rises over time

2) Critical event occurs

3) Critical traffic density maintained

4) “Regulation” to ease traffic

5) Traffic density eases over time

6) “Deregulation” when no longer necessary



14

What’s the Solution?

• “Building more roads to ease traffic is like trying to cure obesity by loosening the belt”

– Richard Moe, Head of the US National Trust for Historic Preservation

•Simply applying “more” security does not necessarily mean you achieve “better” security

– Can you put fewer cars on the road rather than building more roads?

•Help prevent data sprawl– Security is required where data is maintained

»Data, data, anywhere?»Data, data, everywhere?

– Reduce scope through grouping of systems– The more complex a system the harder (and more costly) it is to maintain


15

What’s the Solution?

•Examine Use Cases– Medical record data vs. Payment card data– Data retention sometimes required, but what do you retain?

»Dept collection agencies»Reoccurring payments»Data mining and analysis

•Cost to secure data vs. Business need for data– Cost to securing data can be proportional to the volume of it

•Brute force is effective but costly, while the elegant solution is simple and secure

– “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” – Tokenization– Point-to-Point (End-to-End) Encryption


16

Measuring the Problem

• “If all economists were laid end to end, they would not reach a conclusion.”– George Bernard Shaw

•Solve tomorrows problems with today’s technology– Problems are not hard if we know which ones to solve

•Plugging one hole doesn’t save the levee– Reducing card present fraud drives attackers online– Reducing fraud in one country drives them to others– Only a holistic solution will work on such interconnected systems


17

3 Habits of Highly Effective Regulation

•Education!– Drives adoption and adherence

• Flexibility of controls– 100 % compliance is not the goal when system failures occur in groups– PCI DSS “Compensating controls”– EU Data Protection Directive “Comply or explain”

•More data for Risk Modeling– Can we ever manage risk on a moving target?– Frequentist vs. Bayesian statistics


18

Questions?


Technology

How compliance regulations get made