I N F O R M A T I O N
E SS E NTIAL G U I D E TO
Compliance with federal and industry regulations drives spending and how most information security programs are shaped. There’s no avoiding it. We’ll help you sort and prioritize your responsibilities.
8 PCI Update: Clarity or Confusion?
15 New Mandates: Massachusetts and Nevada 23 HIPAA Gets Some Teeth 32 Disproportionate Pain
39 Prioritize Information Security over Compliance
Database protection and compliance made simple. Guardium, an IBM Company, provides the simplest, most robust solution for continuously monitoring access to high-value databases and automating compliance controls for heterogeneous environments – assuring the integrity of trusted information and enabling enterprises to drive smarter business outcomes. •
Gain 100% visibility and control over your entire DBMS infrastructure.
Reduce complexity with a single set of cross-DBMS auditing and access control policies.
Enforce separation of duties and eliminate overhead of native DBMS logs.
Monitor privileged users, detect insider fraud and prevent cyberattacks.
Automate vulnerability assessment, data discovery, compliance reporting and sign-offs.
For more information, visit www.guardium.com/InformationSecurity
Copyright © 2010 Guardium, an IBM company. All rights reserved. Information is subject to change without notice. IBM, and the IBM logo are trademarks of International Business Machines Corporation in the United States, other countries or both.
contents ESSENTIAL GUIDE
F E AT U R E S
PCI Update: Clarity or Confusion?
PCI DSS What you can expect from this fall’s update to the Payment Card Industry’s Data Security Standard. BY GEORGE V. HULME
15 New Mandates Massachusetts and Nevada usher in a new generation of data protection laws.
STATE DATA PROTECTION ACTS BY RICHARD MACKEY
23 HIPAA Gets Some Teeth The HITECH Act expands on HIPAA’s security requirements and increases penalties for non-compliance.
BY MARCIA SAVAGE
32 Disproportionate Pain Smaller public companies bear significantly higher pain in terms of revenue and costs per employee complying with Sarbanes-Oxley. BY NEIL ROITER
39 Prioritize Information Security Over Compliance RISK MANAGEMENT Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation. BY TONY SPINELLI
I N F O R M AT I O N S E C U R I T Y • ESSENTIAL G UIDE • COMPLIANCE
Find the cybercriminal. (Never mind. ArcSight Logger already did.)
Just downloaded the customer database onto a thumb drive.
Stop cybercriminals, enforce compliance and protect your company’s data with ArcSight Logger. Learn more at www.arcsight.com/logger. © 2010 ArcSight. All rights reserved.
No Token Gesture
BY MICHAEL S. MIMOSO
The PCI Security Standards Council needs to embrace tokenization. TABLE OF CONTENTS
STATE DATA PROTECTION ACTS
“There are things being negotiated now that are gonna solve all your problems and answer all your questions. That’s all I can tell you now…” —Michael Corleone.
OK, so it’s a stretch to associate The Godfather with tokenization, but it’s a segue to a shoutout to the PCI Security Standards Council: Move swiftly and formall