Regulations aimed at protecting the security and privacy of organizations and individuals are well meaning. But sometimes these standards, or how they're interpreted, can be more than a nuisance—they can actually contribute to weaker security.
Here are few examples, from security executives and analysts, of internal and external compliance standards that are potentially problematic, and how they can be addressed so that they don't cause problems while they're trying to provide solutions.
Encryption and HIPAA
Many organizations and security executives are under the mistaken impression that compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires encryption, and this can actually lead to security problems, says Paul Proctor, vice president and distinguished analyst at Gartner Inc.
In fact, HIPAA requires the appropriate use of encryption, which is quite a different standard and can mean the difference of millions of dollars, Proctor says. Aside from the overspending of time and energy on encryption, the misunderstanding related to HIPAA can have a negative impact on certain business processes, affect application performance and even cause users to bypass certain controls because they're annoyed at security, he says.
Decisions such as over-encrypting data "tend to have a ripple effect, of which lowering security is only one," Proctor says. "The answer is to develop a risk management process that allows thoughtful consideration of what you should do" to be compliant with regulations. "Organizations can make poor decisions if they don't have a formal risk management process—and most don't."
Sometimes the regulatory environment has companies spending money on tools that aren't effective, and makes life more difficult for customers. When Tony Hildesheim, now senior vice president of IT at Redwood Credit Union, was working at another organization, internal regulations mandated that no account information be printed on any document.
"This also required that if you emailed a customer information, it had to be in a password-protected PDF," Hildesheim says.
This caused multiple problems. "Many financial institutions truncate the account number so that the whole number is not printed on any material," Hildesheim says. "Without an account number present on a piece of paper, it is hard to help the customer, many of whom no longer can tell you their account number."
The other issue is that with the company's email scanning solution, it was having a difficult time scanning the password-protected PDF. "Therefore, the security measure we put in place to ensure no data [such as credit card numbers] is emailed out of the company is rendered useless because the system cannot break into a PDF," Hildesheim says. "We had to change the procedure, train the staff and fight with the audit department."
Sign up for CIO Asia eNewsletters.