This old Beast or Buddha post from 2009, our CEO, Drazen Drazic looked at regulation and compliance. It’s worth reviewing again and seeing where we stand in 2013 as the Government starts to follow the likes of the US now in terms of assessing whether more regulation and compliance is needed.
We welcome your thoughts and comments….
The Introduction – Living it Easy
Having worked in more heavily regulated environments such as the banking and finance sector in many Asian countries (for example; Singapore and Japan), compliance pressures through something like the PCI DSS don’t seem nearly as onerous, nor as huge an immediate and ongoing effort on the part of businesses.
Coming from that world/perspective, something like the PCI DSS is not really new and not really that impossible/difficult as it seems to many people in countries like Australia, the US and other parts of the world where regulatory impacts upon IT and IT security have been relatively minimal to negligible.
It is all relative and comes down to the business environment you work in and you are used to. Read on:
The Regulators – Toughening Up (Japan)
Think PCI DSS compliance pressures from banks is tough? In Japan, we constantly had the FSA, BoJ and a score of other regulators (or so it felt to me at the time), what seemed liked constantly in our offices – checking one thing or another in regards to our IT operations. No; self-assessment questionnaire, quarterly scanning and quick yearly on-site audit and forget about it. We [our investment bank] had no choice but to ingrain good practice into our business – to the extent, it just became part of normal business. But it was extreme and makes PCI DSS compliance look like a piece of cake. Where to start?….I could write a book on it. (But let’s keep it brief for everyone’s sake).
While we had a global and regional CIO, we also had to appoint a local CIO (in title). This was the person who held accountability for all IT and compliance. If the sh*t hit the fan, he was also the “nominated” person who could go to jail in the event that “something” went wrong. Don’t laugh. That was a serious point. (It has happened there). Aside from my team of IT Security/IT Risk Management people, we had 2-3 “compliance” managers aboard whose full-time roles were to ensure compliance was maintained overall, and who worked with the business units to cover-off their compliance requirements. Think people who constantly reviewed compliance, attained sign-offs and ensured that evidence of compliance always existed. (Scope greater than PCI DSS – also covering specifics of banking, trading etc). Just one example (and I use this one for no other reason than from our experience, most companies fail in this regard and don’t do it because it’s deemed “too hard”), of their “fun” role, was to ensure that the systems and applications assets registers were always up to date. (Hey, Risk Management 101 – always knowing what you have). This entailed printing out reams upon reams of paper with every single business application listed – who owned it and who had access to it. (Think banking; and hundreds, if not thousands of systems and applications). Each application owner then had to review that list on at least a quarterly basis to ensure that everyone on each list for each application was authorised to access that application and that their level of access was in-line with their job/use of the application. (Quarterly over so many systems and applications meant this was a full-time exercise in itself). Now multiply this level of work across every other aspect of the IT policies, standards, procedures, processes, additional new compliance requirements etc etc (more extensive than the PCI DSS as mentioned) and you’ll be half-way there to understanding the stuff we have had to deal with ongoing. In addition, add ongoing updates to the online documented business policies, standards, procedures and processes to ensure all changes were always there, plus that hardcopies existed – printed twice a year in English and Japanese in preparation for the next audit. IT related audits of one form or another, to a level of detail in some form or another – probably at least 3-6 times a year (while I was there). Just tip of the iceberg but I think you can imagine it. PCI DSS on it’s own is a picnic.
The Regulators – Toughening Up II (Singapore)
The Monetary Authority of Singapore, while less intrusive in terms of the number of audits they hit us with, were no less serious in terms of their expectations of us – more sometimes and with a large emphasis on related overseas owned entities. (Bit like how you determine scope of PCI DSS). Aside from Basel and the upcoming (at the time) Basel II and all other related banking regulatory requirements, they also had/have the “Internet Banking and Technology Risk Management Guidelines“. (Aside: We were part of the original working group that put this together). Three things before I start; (1) “Internet Banking” is read all IT in the bank, (2) “Guidelines” means; you better be doing this if you want to make us happy and (3) “Guidelines” and knowing what the MAS meant, we did it to granular detail – ie; controls to very detailed levels – predicting worst case expectations. Enough said.
The Internet Banking and Technology Risk Management Guidelines (which I will refer to as “the guidelines”) differ from the PCI DSS but aim for similar results. I suppose you could make the argument here as to whether the approach taken could be better than that of the PCI, but saying that, the PCI DSS I acknowledge serves a different initial purpose and plan, and is intentionally prescriptive where the former places the onus on the organisation to determine level and type of implementation based more upon internal risk assessment flowing into ownership and acceptance. (I’ve provided a link above to the guidelines. I recommend the read).
The MAS were good to work with as long as you operated the way they wanted you to. The compliance model we used in Japan was also deployed into Singapore and there was never a shortage of compliance related work that kept everyone from IT to business staff busy. You just did it because you had to, but there was an acknowledge, (for most of the time at least), that the purpose the regulation served was good. The regulators were never far away but were less intrusive as I mentioned. We only generally had one audit from them a year BUT, that usually meant at least 3 months planning and work from our end (touching every part of the business) to ensure we had all evidence to support that everything we did was inline with their expectations/”guidelines”. 16 binders in duplicate (32) – full with all policies, standards, procedures and processes plus all supporting documentation and sign-offs for every aspect of the guidelines….and more. (Well you needed to show you were going above and beyond the minimal baselines didn’t you?!). Audits would take weeks and by the time they were done, including all follow-ups, you were almost ready to start planning for the next one.
Regulation Grinding Business to a Halt
Business did not grind to a halt. Business continued to boom (peaks and troughs depending upon the markets like it does in investment banking) and the impacts of regulatory compliance on IT came to be accepted like all the other regulatory requirements imposed upon us. Sure, projects were delayed initially. Some were even canned totally because of it (like the New York developed product for high net-worth individuals that had been 2 years in planning and development, only for us to mention to New York that it didn’t pass the guidelines). Over time and with the business starting to get used to the “rules” and consideration to good practices, it became part of day-to-day business, so things to do with IT were becoming part of the overall business planning processes. (Stuff we complain about all the time not happening to levels it should be).
From my perspective and as an IT Security professional, it was a great job for myself and my team. We were actively involved in almost everything the business did (albeit acknowledging that some things always slip through the cracks but if anyone in the business did that, well the buck (and penalties) for non-compliance stopped with them). We were under-staffed, (as we all are), but little went through without our review and sign-off. Yes, I suppose for those people in business, it may have been a pain compared to the “old days” but it was now how things had to be done so everyone dealt with it. (Some better than others. ).
Back to Being Soft
Moving back to Australian businesses after working in the Asia region in investment banking was a shock to say the least! All that was bad about IT Security before…..hadn’t changed! And, things haven’t changed that much since then, (as you can tell by my frustrated at times posts). And then along came the PCI DSS……………….
Conclusion – Comfort Zones and the Future
Regulation in many countries, such as the examples above, has created some controls and base levels of good practice where previously, there was little or none. It has forced organisations to adopt good/better practices in their day-to-day business – ongoing! But, it required big changes and for someone to bite the bullet so to speak – albeit, they had no choice. It was either do it or risk not being able to do business in these big business countries. Money talks and it’s amazing how things can change very quickly when money is at stake.
A narrow view on what PCI DSS could do for your organisation is probably one of the reasons there is so much debate and anti-PCI DSS sentiments out there. To be fair, many results to date of PCI DSS; it’s reporting and overall awareness has not always allowed the initiative to be seen in the light it should be. Anyway, I’m not here to argue those points. They’ve been done to death.
Has tighter regulation on IT security practices and controls made those organisations operating within these regulatory environments totally secure? No, of course not but it most certainly has minimised their risks compared to where they would be today without regulation. Not all regulation is bad and if done right, it is and will be the main driver of improved security practices across the board and will drive innovation further. Sounds weird?…..I still like David Rice’s thoughts on regulation here in a talk I had with him recently.
I’ll stress it again. There’s really little in the PCI DSS that is not normal good IT security practice. If you’re not doing it [good security practices] now, questions should be asked as to why not? Businesses have an obligation to be doing it….for themselves, business partners, customers, staff, shareholders and society as a whole. If it takes a big stick to make it happen, well, I’m all for that.
PS. To those people who argue against PCI DSS because it does not go far enough, I put it to you that we first get the basics right. Companies are struggling with it now and you want to make it even tougher?