Press Releases

Bedford, MA— With the business world still contemplating the effects of the Federal Trade Commission’s recent ruling against a leading wholesale club, RSA Security Inc. (Nasdaq: RSAS) today announced its Best Practices Framework – a tool that will help businesses across the globe to recognize and deploy the information security controls which are applicable to them.

The FTC ruled that the wholesale club failed to take appropriate security measures to protect the personal information of thousands of its customers, and that this was an unfair practice. The FTC determined that this failure resulted in millions of dollars of fraudulent purchases. The FTC had asserted that the club had failed to encrypt data or secure wireless access points; failed to use sufficient measures to detect unauthorized access; and that it stored the information in files accessible through default usernames and passwords.

Of particular note, FTC Chairman Deborah Majoras said that, “Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information.”

“The FTC’s action is significant, as it precedes possible Congressional action on national breach notification legislation, and places new responsibilities on businesses everywhere to take reasonable security measures,” comments Art Coviello, president and CEO at RSA Security Inc. “The question that many organizations are now asking is ‘what constitutes reasonable and appropriate action?’ In an increasingly complex regulatory environment, finding a comprehensive answer to that question can be a laborious task.”

The RSA Security Best Practices Framework has been meticulously developed over a period of 12 months to help businesses navigate the minefield, and eliminate complexity and confusion around regulatory compliance. The Best Practices Framework maps the key regulatory business requirements to related IT controls and suggests the specific best practices.

RSA Security’s team has cross-referenced regulations from around the world – such as Sarbanes-Oxley, Basel II and the European Union’s Data Protection Directive – and more than 60 best practices derived from the key identity and access management requirements from the associated control frameworks and standards: COBIT, NIST 800-53, ISO 17799, and FFIEC. These were then brought up to date with insight from the SANS Institute, analysts, and in-house RSA Security experience gained from working with more than 18,000 customers worldwide. The best practices are a powerful tool to provide information security controls in the areas of risk management, authentication, access control, data protection and logging and reporting.

“One of the biggest challenges organizations face is wading through the complexities of various control frameworks and standards to understand the best practices that are truly relevant to their business,” said Trent Henry, Senior Analyst, Burton Group. “One successful strategy is to map the common requirements of such standards, to determine the most widely accepted enterprise controls. Done by an individual organization, however, this can be a considerable amount of effort, so efforts to streamline the process should benefit companies in the long-run.”

RSA Security’s Best Practices Framework is designed to allow businesses to quickly – and simply – assess their own needs and specific compliance and business objectives. Access to the complete set of best practices is gained through an easy-to-use interactive tool also developed by the company – the RSA Security Compliance Scorecard.

“The essence of the recent ruling sends a clear message to organizations that rely upon, collect, sell, store and otherwise use sensitive personal information: you have a responsibility to protect the data that you have been entrusted to hold. To date, it seems pretty clear that many have failed to take that responsibility seriously,” comments former FTC Commissioner Orson Swindle. “RSA Security has taken a commendable step by developing a rich resource of information which will help any organization understand the information security implications of the many privacy, corporate governance and data protection regulations set at various levels of government.”

“If we are to maintain consumer trust in information technology and e-commerce, we must move more completely toward a culture of information security and employ best practices. RSA Security is helping us all to take a bigger step in that direction,” continues Mr. Swindle.

In the meantime, federal legislation that would likely place increased obligations on businesses is being vigorously debated in the U.S. Congress. Requiring more immediate attention, 18 states have already passed new laws on breach notification, many of which are modeled after California’s SB 1386, the first such state law in the nation. If you would like more information on the RSA Security Compliance Scorecard, please visit www.rsasecurity.com/node.asp?id=2895 or e-mail compliance@rsasecurity.com

About RSA Security Inc.
RSA Security Inc. is the expert in protecting online identities and digital assets. The inventor of core security technologies for the Internet, the company sets the standard in strong authentication and encryption, bringing trust to millions of user identities and the transactions that they perform. RSA Security’s portfolio of award-winning identity & access management solutions helps businesses to establish who’s who online – and what they can do.

With a strong reputation built on a 20-year history of ingenuity, leadership and proven technologies, we serve more than 18,000 customers around the globe and interoperate with more than 1,000 technology and integration partners. For more information, please visit www.rsasecurity.com