Legislate or Educate?


With all the tours, Energize IT and other travel out of the way for a few weeks I had a chance last week to catch up on some reading.  I came across a lot of articles on a new law enacted in parts of the US and being considered here in Canada by some.  It is called Payment Card Industry Data Security Standard (PCI DSS) and it was developed by the major credit card companies as a way to protect financial transactions and data.  Now my thoughts on this are not for or against this becoming law, or even the details of it, but when I read the 12 requirements it got me thinking.  Do we need to legislate this?  Or do we need to educate IT professionals on proper security and data protection methods?

There are 12 requirements to comply with PCI DSS and they are as follows (you can read all about the requirements in detail here)

  1. Install and maintain a firewall to protect cardholder data
  2. Do not use vendor supplied default passwords
  3. Protect cardholder data
  4. Encrypt transmission of data across open, public networks
  5. Use and update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data
  8. Assign a unique ID to everyone using a PC
  9. Restrict physical access to cardholder data (isn't this the same as #7?)
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and procedures
  12. Maintain a policy that addresses information security

Sounds like common sense doesn't it?  Sounds like oh, say, a defense in depth approach to security doesn't it?  But is this being taught in the IT schools, colleges and university programs?  I went to CDI College back in 2001 and I was not taught this.  I learned a lot of this on the job as well as through continued reading after I graduated.  Speaking to a few students over the past year, when I ask what they are learning I hear a lot about products.  They are learning SQL, Exchange, AD etc.... but not one of them mentioned security!  Products don't secure themselves and I don't care what you are running (Windows, Linux, OSX, SQL, MySQL etc.....) if the admin doesn't know security best practices and how to implement them, law or no law, the systems are not secure.

That scares me!  The products are the easy part to learn but there seems to be a lack of education on the fundamentals.  Is legislation going to change this?  Or should we be educating IT professionals and students so that they have the knowledge to put these practices in place?  What do you think?

Comments (2)

  1. Rodney Buike says:

    Speaking about this at lunch with Barnaby he reminded me of a blog post on the Canadian IT Managers blog over a year ago with some thoughts on credit/debit card privacy.

    http://blogs.technet.com/cdnitmanagers/archive/2007/01/03/new-year-s-privacy-resolutions.aspx

    Rodney Buike

    IT Pro Advisor

  2. ye110wbeard says:

    You’ve got a good point.  It is much more important to remind guys “Hey, you should do these things”.

    It seems pretty “Common Sense” but with a billion things on the mind, sometimes it slips.   Legislating it?  Well it certainly doesn’t hurt to make it the law to “not be stupid” with somebody else’s information.  (Credit cards used to be freely traded as gold years ago on various hacker systems years ago) and probably still are to a certain extent.   I imagine the amount lost by Credit card companies could be EASILY millions.

    Now having worked with Lawyers, I can already see the “legislate” part.   There has to be some level of accountability if somebody doesn’t bother taking those steps.  

    It would be obvious in a larger shop.   You lose your job.   NOBODY likes that.   On our worst and best days, we all USUALLY like our job… 🙂  Pay checks are always nice and good co-workers are hard to find.

    But on the other side, a smaller shop where you are the one responsible for the Credit card transactions *(pretend you are the boss); Well let’s just suppose you DON’T care about what happens and let “a few slip out” and make some extra cash on the side.   (oops!) Say a few nefarious parties offer some extra dough to “catch a couple of cards”.   I mean it’s already illegal to do that (It is right? Fraud is still a crime in Canada correct?).

    So making it illegal on a 2nd level.  I wonder if that “Closes a few legal loopholes” somebody may have come up with.  (It was a bug in the software, therefore “blah blah blah” is responsible; offload the blame).  I am no expert on the law.  I know of many Lawyers who are “Law Geeks” and can rip through legislation and understand it the way I understand logic.    They would understand the benefits / drawbacks of more legislation.  (Oooo oooo I know, more government funding!)

    Love the food for thought.    Unfortunately today there are too many butterflies in my stomach today for me to eat more…. 😉

Skip to main content