More Security Regulations on the Way

If at first you don't succeed, try again, and again and..... When laws, regulations and standards don't get the job done.... we get more! I am not complaining - that might violate my professional stardards as a lawyer and even upset a few UVA Law clasmates.

However, two separate announcments caught my eye this evenning that suggest a trend - the tide of security regulation is soon to be on the rise (significantly and through a few different channels).

First, the state of California joins Minnesota in an effort to legistate standards imposed by the credit card industry (Payment Card Industry Data Security Standard). Interestingly, the liability provision has been watered down to avoid the wrath of the Arnold "the Terminator's" veto (experienced last year)! Given the continued vague guidelines and limited liability, I would not expect much to result from these activities.

A much more intresting and subtle announcement came out of the Army. The US Army wants to know about the IT security practices of its contractors. I would expect to see these findings resurface in the next twelve months as specific standards for Army contractors. Much like Walmart - DoD can (and should) drive major market shifts. "Customer" market influence can drive change far more swiftly and meaningfully. However, contractor guidelines to be effective must provide clear and concise standards that are far more easily implemented. I hope the DoD will learn a lesson from the PCI DSS experience.

Maybe the Army (and its contractors) should look at AccessEnforcer - with OpenBSD, IPSec VPN, Calyptix Remote VPN, Intrusion Prevention System....and more... it might be just what the little guys need to beef up their systems!