Mikhail Utin talked about a different approach to security at the DeepSec 2011 conference:
While information security can be improved in a number of ways, one powerful approach is continually overlooked by security researchers. This approach constitutes a collective effort by masses of computer users, where each individual has a very limited understanding of information security and is frequently forced to improve security by various laws and regulations. Pressure coming from both government side and cybercriminals affects small businesses capability of conducting business as usual. It is questionable whether in such situation adequate security level to protect information could be achieved.
This presentation is our attempt to address such gap and to analyze current status of information security processes in masses based on the situation in the US, and to identify our ability to protect personal information through government regulatory affairs and regulations implementation. We recognize that the US has a specific form of government, laws and business organization. However, since information security and protection of personal information is a growing global concern, the hope is that our analysis will help international security community at large to avoid some pitfalls discussed below.
While the US has numerous laws protecting personal information, two of the regulations are most pertinent. They are the federal HIPAA/HITECH and state of Massachusetts MGL c.93H/201 CMR 17.00. This paper considers obstacles in achieving compliance with both regulations. In particular, the compliance process affects small and mid-size businesses. Those types of businesses, by and large, do not have sufficient resources to be compliant. The situation is made even more difficult by virtue of government not providing any help to start the compliance process. The second problem is that US government doesn’t take the appropriate measures to enforce the compliance. Authors consider degradation in security as a result of the deficiencies in the enforcement process. Such uncertain and grim security situation can be significantly improved if government and businesses worked together as a part of one process. Authors recommend certain measures for achieving a better security posture, including automation of compliance process phases.