SlideShare uma empresa Scribd logo

How compliance regulations get made

Mike D
Mike D
TecnologiaNegócios
1 de 18
Baixar para ler offline
The Evolution of a Standard : How Compliance Regulations Get Made (Birth of a New Industry) GLOBAL CAPABILITY. PERSONAL ACCOUNTABILITY. Michael Dahn Global PCI QA Manager © 2008 Verizon. All Rights Reserved. PTE13156 09/08 Monday, July 5, 2010
Background on Regulation & Deregulation • Airline: – Civil Aeronautics Board (1937) – Airline Deregulation Act (1978) • Railway: – Interstate Commerce Commission (1887) – Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980) • Trucking: – Motor Carrier Act (1935) – Motor Carrier Regulatory Reform and Modernization Act (1980) • Energy: – OPEC price hikes (1973) – Emergency Natural Gas Act (1977) • Finance: – Glass-Steagall Act (1933) – Gramm-Leach-Bliley Act (1999) 2 http://en.wikipedia.org/wiki/Deregulation Monday, July 5, 2010
Why Regulation? • Trying to get a handle on large problems that affect many individuals – Monopoly – Poor conditions – Unbound risk – Consumer protection Image from Hugh MacLeoud of Gaping Void 3 Monday, July 5, 2010
Pattern of Data Loss • Large Data Breaches (in millions) – 3.9 :: Financial institution in 2005 – 4.2 :: Supermarket chain in 2008 –5 :: Online bill pay in 2007 – 6.3 :: Online trading company in 2007 – 8.5 :: Banking service provider in 2007 – 12.5 :: Bank in 2008 – 17.7 :: Online adult entertainment in 2006 – 28.6 :: Government agency in 2006 – 40 :: Payment service provider in 2005 – 45.7 :: Retail store in 2007 – 76 :: Government agency in 2009 – 130 :: Payment processor in 2009 • Evolution of Methods – Flat files, network sniffing, serial port sniffing, custom malware – EU: retail moved to e-commerce 4 Monday, July 5, 2010
History of Regulatory Time 5 http://www.informationshield.com/papers/A%20History%20of%20Regulatory%20Time.pdf Monday, July 5, 2010
Vaccinations & Regulatory Compliance • The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual • Individuals say: – My environment is already secure – I know how to manage risk better than the regulatory bodies – My environment is special and unique and does not fit into your Procrustean boxes • Are we as secure as we think we are? – Do we rely on third parties? – Who do we share data with? – Who do we give access to our data and systems? 6 Monday, July 5, 2010
Vaccinations & Regulatory Compliance • Economics of Immunization and Compliance – A poorer population will benefit more strongly from an immunization program than one that maintains a high level of sanitation, health care, and treatment programs – A more vulnerable population (e.g. retail, restaurants, higher education, e-commerce, etc.) will benefit more from regulatory compliance than one that is more highly secure • The cause of action to vaccinate a population is to immunize them from each other – Card data stolen from one location can affect fraud at another location resulting in mutually assured negative impact • Tipping point of vaccination – “An aggressive vaccination program that first targets children and ultimately reaches 70% of the US population would mitigate pandemic influenza H1N1” »Vaccine and Infectious Disease Institute (VIDI) at Fred Hutchinson Cancer Research Center 7 Monday, July 5, 2010
Inflection Points and Traffic Jams • Inflection Points (“Tipping Point”) – “An inflection point occurs where the old strategic picture dissolves and gives way to the new” – Andy Grove in Only the Paranoid Survive • Where are we on the “Sine Wave of Pain”? Image from UnderstandingCalculus.com 8 Monday, July 5, 2010
9 Monday, July 5, 2010
Traffic Patterns and Modeling • Kurt Vonnegut's Cat's Cradle “Ice Nine” – Polymorph of water that freezes at 45.8 °C (114.4 °F) instead of 0 °C (32 °F) – One shart of Ice-Nine is the catalyst • “Hysteresis” (physics) – “A state of traffic depends not only on its density but on its history – on whether it was previously denser or less dense. As the traffic rate rises and then falls, the flow rate follows a loop.” »Critical Mass by Philip Ball • Nagel-Schreckenberg (NaSch) model 10 Monday, July 5, 2010
Traffic Jams and Industry Regulation Critical event Critical density http://www.myhomezone.co.uk/project/Report.htm 11 Monday, July 5, 2010
Traffic Jams and Industry Regulation http://www.myhomezone.co.uk/project/Report.htm 12 Monday, July 5, 2010
Entering and Exiting a Traffic Jam 1) Traffic density rises over time 2) Critical event occurs 3) Critical traffic density maintained 4) “Regulation” to ease traffic 5) Traffic density eases over time 6) “Deregulation” when no longer necessary http://www.myhomezone.co.uk/project/Report.htm 13 Monday, July 5, 2010
What’s the Solution? • “Building more roads to ease traffic is like trying to cure obesity by loosening the belt” – Richard Moe, Head of the US National Trust for Historic Preservation • Simply applying “more” security does not necessarily mean you achieve “better” security – Can you put fewer cars on the road rather than building more roads? • Help prevent data sprawl – Security is required where data is maintained »Data, data, anywhere? »Data, data, everywhere? – Reduce scope through grouping of systems – The more complex a system the harder (and more costly) it is to maintain 14 Monday, July 5, 2010
What’s the Solution? • Examine Use Cases – Medical record data vs. Payment card data – Data retention sometimes required, but what do you retain? »Dept collection agencies »Reoccurring payments »Data mining and analysis • Cost to secure data vs. Business need for data – Cost to securing data can be proportional to the volume of it • Brute force is effective but costly, while the elegant solution is simple and secure – “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” – Tokenization – Point-to-Point (End-to-End) Encryption 15 Monday, July 5, 2010
Measuring the Problem • “If all economists were laid end to end, they would not reach a conclusion.” – George Bernard Shaw • Solve tomorrows problems with today’s technology – Problems are not hard if we know which ones to solve • Plugging one hole doesn’t save the levee – Reducing card present fraud drives attackers online – Reducing fraud in one country drives them to others – Only a holistic solution will work on such interconnected systems 16 Monday, July 5, 2010
3 Habits of Highly Effective Regulation • Education! – Drives adoption and adherence • Flexibility of controls – 100 % compliance is not the goal when system failures occur in groups – PCI DSS “Compensating controls” – EU Data Protection Directive “Comply or explain” • More data for Risk Modeling – Can we ever manage risk on a moving target? – Frequentist vs. Bayesian statistics 17 Monday, July 5, 2010
Questions? 18 Monday, July 5, 2010

Recomendados

Conducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceConducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceFintan Swanton
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
Wk1 dq2
Wk1 dq2Wk1 dq2
Wk1 dq2Bridget_R
 
Building an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTeBuilding an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTeTrustArc
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Privacy, Confidentiality, and Security_lecture 1_slides
Privacy, Confidentiality, and Security_lecture 1_slidesPrivacy, Confidentiality, and Security_lecture 1_slides
Privacy, Confidentiality, and Security_lecture 1_slidesZakCooper1
 
Thierer Internet Privacy Regulation
Thierer Internet Privacy RegulationThierer Internet Privacy Regulation
Thierer Internet Privacy RegulationMercatus Center
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement PrioritiesTrustArc
 

Recomendados

Conducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceConducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceFintan Swanton
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
Wk1 dq2
Wk1 dq2Wk1 dq2
Wk1 dq2Bridget_R
 
Building an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTeBuilding an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTeTrustArc
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Privacy, Confidentiality, and Security_lecture 1_slides
Privacy, Confidentiality, and Security_lecture 1_slidesPrivacy, Confidentiality, and Security_lecture 1_slides
Privacy, Confidentiality, and Security_lecture 1_slidesZakCooper1
 
Thierer Internet Privacy Regulation
Thierer Internet Privacy RegulationThierer Internet Privacy Regulation
Thierer Internet Privacy RegulationMercatus Center
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement PrioritiesTrustArc
 
Malcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsMalcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsIrish Future Internet Forum
 
IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestLilian Edwards
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesAdam Thierer
 
IMA meeting accounting for big data
IMA meeting accounting for big dataIMA meeting accounting for big data
IMA meeting accounting for big dataJames Deiotte
 
The death of data protection
The death of data protection The death of data protection
The death of data protection Lilian Edwards
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
Global Evolution of Data Sharing
Global Evolution of Data SharingGlobal Evolution of Data Sharing
Global Evolution of Data SharingPERC
 
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009Frocomm Australia
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
IoT & Big Data - A privacy-oriented view of the future
IoT & Big Data - A privacy-oriented view of the futureIoT & Big Data - A privacy-oriented view of the future
IoT & Big Data - A privacy-oriented view of the futureFacundo Mauricio
 
DAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptDAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptGmvViju1
 
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...Utah Broadband Project
 
Banks vs Fintechs | A Revolut and ClauseMatch Event
Banks vs Fintechs | A Revolut and ClauseMatch EventBanks vs Fintechs | A Revolut and ClauseMatch Event
Banks vs Fintechs | A Revolut and ClauseMatch EventClauseMatch
 
Big data and health care
Big data and health care Big data and health care
Big data and health carecjw119
 
Big data and health care
Big data and health care Big data and health care
Big data and health carecjw119
 
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016GSDI Association
 
Marsden #Regulatingcode MIT
Marsden #Regulatingcode MITMarsden #Regulatingcode MIT
Marsden #Regulatingcode MITChris Marsden
 
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...Localogy
 
Managing public health information
Managing public health informationManaging public health information
Managing public health informationPPPKAM
 
Korea talk on emerging technology and ideas for Korea's new creative economy...
Korea talk on emerging technology and ideas for Korea's new creative economy...Korea talk on emerging technology and ideas for Korea's new creative economy...
Korea talk on emerging technology and ideas for Korea's new creative economy...Jerome Glenn
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 

Mais conteúdo relacionado

Semelhante a How compliance regulations get made

Malcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsMalcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsIrish Future Internet Forum
 
IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestLilian Edwards
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesAdam Thierer
 
IMA meeting accounting for big data
IMA meeting accounting for big dataIMA meeting accounting for big data
IMA meeting accounting for big dataJames Deiotte
 
The death of data protection
The death of data protection The death of data protection
The death of data protection Lilian Edwards
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
Global Evolution of Data Sharing
Global Evolution of Data SharingGlobal Evolution of Data Sharing
Global Evolution of Data SharingPERC
 
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009Frocomm Australia
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
IoT & Big Data - A privacy-oriented view of the future
IoT & Big Data - A privacy-oriented view of the futureIoT & Big Data - A privacy-oriented view of the future
IoT & Big Data - A privacy-oriented view of the futureFacundo Mauricio
 
DAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptDAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptGmvViju1
 
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...Utah Broadband Project
 
Banks vs Fintechs | A Revolut and ClauseMatch Event
Banks vs Fintechs | A Revolut and ClauseMatch EventBanks vs Fintechs | A Revolut and ClauseMatch Event
Banks vs Fintechs | A Revolut and ClauseMatch EventClauseMatch
 
Big data and health care
Big data and health care Big data and health care
Big data and health carecjw119
 
Big data and health care
Big data and health care Big data and health care
Big data and health carecjw119
 
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016GSDI Association
 
Marsden #Regulatingcode MIT
Marsden #Regulatingcode MITMarsden #Regulatingcode MIT
Marsden #Regulatingcode MITChris Marsden
 
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...Localogy
 
Managing public health information
Managing public health informationManaging public health information
Managing public health informationPPPKAM
 
Korea talk on emerging technology and ideas for Korea's new creative economy...
Korea talk on emerging technology and ideas for Korea's new creative economy...Korea talk on emerging technology and ideas for Korea's new creative economy...
Korea talk on emerging technology and ideas for Korea's new creative economy...Jerome Glenn
 

Semelhante a How compliance regulations get made (20)

Malcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - SocioeconomicsMalcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
Malcolm Crompton, IIS Partners Irish Future Internet Forum - Socioeconomics
 
IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and West
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key Issues
 
IMA meeting accounting for big data
IMA meeting accounting for big dataIMA meeting accounting for big data
IMA meeting accounting for big data
 
The death of data protection
The death of data protection The death of data protection
The death of data protection
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
 
Global Evolution of Data Sharing
Global Evolution of Data SharingGlobal Evolution of Data Sharing
Global Evolution of Data Sharing
 
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009
Malcolm Crompton I I S Frocomm Web 2 O In Govt 24 June 2009
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
 
IoT & Big Data - A privacy-oriented view of the future
IoT & Big Data - A privacy-oriented view of the futureIoT & Big Data - A privacy-oriented view of the future
IoT & Big Data - A privacy-oriented view of the future
 
DAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.pptDAY 1_ITEM 4_Privacy and personal data protection.ppt
DAY 1_ITEM 4_Privacy and personal data protection.ppt
 
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...
2015 Broadband Tech Summit - Emperitas Preparing the Grid for the Coming Data...
 
Banks vs Fintechs | A Revolut and ClauseMatch Event
Banks vs Fintechs | A Revolut and ClauseMatch EventBanks vs Fintechs | A Revolut and ClauseMatch Event
Banks vs Fintechs | A Revolut and ClauseMatch Event
 
Big data and health care
Big data and health care Big data and health care
Big data and health care
 
Big data and health care
Big data and health care Big data and health care
Big data and health care
 
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016
GSDI Marine-Coastal SDI Best Practice Webinar No. 1 - 4 Nov 2016
 
Marsden #Regulatingcode MIT
Marsden #Regulatingcode MITMarsden #Regulatingcode MIT
Marsden #Regulatingcode MIT
 
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...
2017 PlaceConf: Location & Privacy - What Marketers Must Know (Future of Priv...
 
Managing public health information
Managing public health informationManaging public health information
Managing public health information
 
Korea talk on emerging technology and ideas for Korea's new creative economy...
Korea talk on emerging technology and ideas for Korea's new creative economy...Korea talk on emerging technology and ideas for Korea's new creative economy...
Korea talk on emerging technology and ideas for Korea's new creative economy...
 

Último

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Último (20)

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

How compliance regulations get made

  • 1. The Evolution of a Standard : How Compliance Regulations Get Made (Birth of a New Industry) GLOBAL CAPABILITY. PERSONAL ACCOUNTABILITY. Michael Dahn Global PCI QA Manager © 2008 Verizon. All Rights Reserved. PTE13156 09/08 Monday, July 5, 2010
  • 2. Background on Regulation & Deregulation • Airline: – Civil Aeronautics Board (1937) – Airline Deregulation Act (1978) • Railway: – Interstate Commerce Commission (1887) – Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980) • Trucking: – Motor Carrier Act (1935) – Motor Carrier Regulatory Reform and Modernization Act (1980) • Energy: – OPEC price hikes (1973) – Emergency Natural Gas Act (1977) • Finance: – Glass-Steagall Act (1933) – Gramm-Leach-Bliley Act (1999) 2 http://en.wikipedia.org/wiki/Deregulation Monday, July 5, 2010
  • 3. Why Regulation? • Trying to get a handle on large problems that affect many individuals – Monopoly – Poor conditions – Unbound risk – Consumer protection Image from Hugh MacLeoud of Gaping Void 3 Monday, July 5, 2010
  • 4. Pattern of Data Loss • Large Data Breaches (in millions) – 3.9 :: Financial institution in 2005 – 4.2 :: Supermarket chain in 2008 –5 :: Online bill pay in 2007 – 6.3 :: Online trading company in 2007 – 8.5 :: Banking service provider in 2007 – 12.5 :: Bank in 2008 – 17.7 :: Online adult entertainment in 2006 – 28.6 :: Government agency in 2006 – 40 :: Payment service provider in 2005 – 45.7 :: Retail store in 2007 – 76 :: Government agency in 2009 – 130 :: Payment processor in 2009 • Evolution of Methods – Flat files, network sniffing, serial port sniffing, custom malware – EU: retail moved to e-commerce 4 Monday, July 5, 2010
  • 5. History of Regulatory Time 5 http://www.informationshield.com/papers/A%20History%20of%20Regulatory%20Time.pdf Monday, July 5, 2010
  • 6. Vaccinations & Regulatory Compliance • The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual • Individuals say: – My environment is already secure – I know how to manage risk better than the regulatory bodies – My environment is special and unique and does not fit into your Procrustean boxes • Are we as secure as we think we are? – Do we rely on third parties? – Who do we share data with? – Who do we give access to our data and systems? 6 Monday, July 5, 2010
  • 7. Vaccinations & Regulatory Compliance • Economics of Immunization and Compliance – A poorer population will benefit more strongly from an immunization program than one that maintains a high level of sanitation, health care, and treatment programs – A more vulnerable population (e.g. retail, restaurants, higher education, e-commerce, etc.) will benefit more from regulatory compliance than one that is more highly secure • The cause of action to vaccinate a population is to immunize them from each other – Card data stolen from one location can affect fraud at another location resulting in mutually assured negative impact • Tipping point of vaccination – “An aggressive vaccination program that first targets children and ultimately reaches 70% of the US population would mitigate pandemic influenza H1N1” »Vaccine and Infectious Disease Institute (VIDI) at Fred Hutchinson Cancer Research Center 7 Monday, July 5, 2010
  • 8. Inflection Points and Traffic Jams • Inflection Points (“Tipping Point”) – “An inflection point occurs where the old strategic picture dissolves and gives way to the new” – Andy Grove in Only the Paranoid Survive • Where are we on the “Sine Wave of Pain”? Image from UnderstandingCalculus.com 8 Monday, July 5, 2010
  • 10. Traffic Patterns and Modeling • Kurt Vonnegut's Cat's Cradle “Ice Nine” – Polymorph of water that freezes at 45.8 °C (114.4 °F) instead of 0 °C (32 °F) – One shart of Ice-Nine is the catalyst • “Hysteresis” (physics) – “A state of traffic depends not only on its density but on its history – on whether it was previously denser or less dense. As the traffic rate rises and then falls, the flow rate follows a loop.” »Critical Mass by Philip Ball • Nagel-Schreckenberg (NaSch) model 10 Monday, July 5, 2010
  • 11. Traffic Jams and Industry Regulation Critical event Critical density http://www.myhomezone.co.uk/project/Report.htm 11 Monday, July 5, 2010
  • 12. Traffic Jams and Industry Regulation http://www.myhomezone.co.uk/project/Report.htm 12 Monday, July 5, 2010
  • 13. Entering and Exiting a Traffic Jam 1) Traffic density rises over time 2) Critical event occurs 3) Critical traffic density maintained 4) “Regulation” to ease traffic 5) Traffic density eases over time 6) “Deregulation” when no longer necessary http://www.myhomezone.co.uk/project/Report.htm 13 Monday, July 5, 2010
  • 14. What’s the Solution? • “Building more roads to ease traffic is like trying to cure obesity by loosening the belt” – Richard Moe, Head of the US National Trust for Historic Preservation • Simply applying “more” security does not necessarily mean you achieve “better” security – Can you put fewer cars on the road rather than building more roads? • Help prevent data sprawl – Security is required where data is maintained »Data, data, anywhere? »Data, data, everywhere? – Reduce scope through grouping of systems – The more complex a system the harder (and more costly) it is to maintain 14 Monday, July 5, 2010
  • 15. What’s the Solution? • Examine Use Cases – Medical record data vs. Payment card data – Data retention sometimes required, but what do you retain? »Dept collection agencies »Reoccurring payments »Data mining and analysis • Cost to secure data vs. Business need for data – Cost to securing data can be proportional to the volume of it • Brute force is effective but costly, while the elegant solution is simple and secure – “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.” – Tokenization – Point-to-Point (End-to-End) Encryption 15 Monday, July 5, 2010
  • 16. Measuring the Problem • “If all economists were laid end to end, they would not reach a conclusion.” – George Bernard Shaw • Solve tomorrows problems with today’s technology – Problems are not hard if we know which ones to solve • Plugging one hole doesn’t save the levee – Reducing card present fraud drives attackers online – Reducing fraud in one country drives them to others – Only a holistic solution will work on such interconnected systems 16 Monday, July 5, 2010
  • 17. 3 Habits of Highly Effective Regulation • Education! – Drives adoption and adherence • Flexibility of controls – 100 % compliance is not the goal when system failures occur in groups – PCI DSS “Compensating controls” – EU Data Protection Directive “Comply or explain” • More data for Risk Modeling – Can we ever manage risk on a moving target? – Frequentist vs. Bayesian statistics 17 Monday, July 5, 2010