Nevada just passed new legislation that in effect, mandates the provisions of PCI DSS for businesses and other entities that handle non-public personal information. You can read it yourself here, or see additional details and commentary can be found at BankInfoSecurity.com.
Since my trip to London earlier this year, I have actively pondered what the future brings for the standard of due care. Specifically, what frameworks and practices will emerge as being the minimum standard to which we are judged in our efforts to protect data. In my post on US vs. UK perspectives for choosing a controls framework I mentioned how the people I talked to in the UK were focused on becoming ISO compliant with regards to their security programs and that they felt this was a competitive differentiator for their businesses. They also stressed the outside validation provided by BSI on a recurring basis as an independent audit and how it helped establish confidence in their ability to protect sensitive customer information.
With the absolutlely phenomenal reach of PCI DSS, and the move by Nevada to legislate its adoption, I think we are entering into an era where this standard becomes the minimum. After all, with it being so widely enforced it soon becomes what a reasonable person in similar circumstances must do.
The real trick for practitioners then becomes not the controls being applied, but the effectiveness and efficiency that the organization can expect on a per dollar basis. In summary, it isn’t what you are controlling, or even how, it is how well that matters.
No related articles.
Your Comments
1 comment