Not much of a contest actually, as CMS hasn’t officially moved the HIPAA bar at all. Maybe the HITRUST alliance will have an impact in healthcare, but probably not, unless they have some regulatory backing and an actual audit function.
GLBA and the FFIEC InterAgency Guidelines (and the Information Security Handbook) have seen extensive changes over a longer period of time.
OK, so it’s a standard not a regulation. In the standards world we have formal de jure standards, and de facto (industry) standards. Same goes for compliance regulations. PCI is a defacto regulation really, compliance is enforced by the industry, and it isn’t optional.
I finally took a detailed look at 1.2, which is a whopping 72 pages. PCI 1.1 was 16 pages. PCI QSA’s are loving it. I wonder what that does to the average cost of a quarterly scan, or an annual audit?
A big part of increase is that they changed the format of the document to allow for audit test descriptions, but still, there’s a lot more in the new version. A couple of interesting things that the PCI SSC is doing as of 1.2:
- They explicitly reference the OWASP top 10 vulnerabilities, and they require that if the OWASP list changes, the compliance requirement also changes (presumably in your next quarter’s PCI scan)
- They have language for each requirement for audit test procedures, which is a REALLY good step IMHO (it eliminates some subjectivity from the QSA presumably). Version 1.1 just described the requirement, with 1.2 organizations can see the actual test procedure that the QSA will use, so they know exactly what to expect- no surprises.
Whether you love or hate PCI, I think it’s fair to say that it is the only major regulation that is changing anywhere near as fast as the threat environment is.
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
|
said this on 09 Dec 2008 1:18:18 PM EDT
>which is a whopping 72 pages. PCI 1.1 was 16 pages
PCI guidance didn't really change much - they just reformatted the doc and added verification to the same doc...
|
|
said this on 09 Dec 2008 1:19:15 PM EDT
>Version 1.1 just described the requirement
This was in a separate doc during "1.1 times", but it still existed.
|
Author)