If we consider the question of request compliance in terms of risk analysis, i.e. assume that:
threat – violation consequences described by the compliance enforcement agency (CEA :).
vulnerability – incompliant to requirements
attack – checks made by the CEA
counter-measure - compliant to requirements
so there is practically an unexampled situation – we have all necessary basic data for quantitative risk analysis based on the classical technique ARO x SLE = ALE.
ARO – probability of CEA checks
SLE - violation consequences described by the law or CEA
This interesting situation not only proves that school rules still sometimes work, but also a great benefit of compliance as an engine of information security.
Lets consider some examples that are now widely known - Russian Federal Law 152 (On Personal Data) and PCI DSS.
This is quite simple, as Visa and other payment systems decided not to taunt business and allow to shift action plan because of events in the world economy now. This is a delay in attack implementation in several years. Unexampled situation when you exactly know that this particular attack did not take place during a year. Or a couple of years. Just imagine a license from virus attacks or hardware theft for a year… A great thing!
threat - fines (N x K$) or loss of operation prohibition (let it be also N x K$ for ease), SLE;
vulnerability - incompliant to requirements (PCI DSS);
attack – CEA (Visa, Mastercard, etc) response to action plan deviation (the probability that it will take place, ALE - 0 times a year)
Totally, we have:
Risk = (N x K$) x (0) = 0
Tat is that you can do nothing!!!
But! The key condition is that you have action plan. Accordingly, you should create it. By yourself or with QSA – as you wish. Unfortunately I do not have information about regulator response if there is no PCI DSS action plan, but I think in this case SLE is about counter-measure (audit) costs.
Federal Law 152
In this case everything is easy also.
threat - some variants
1. Administrative responsibility - fines
2. Suspension or termination of personal data processing in the company is the period of idle time/degradation of constrained business processes before elimination. I think you can take minimum 1/6 of a year.
3. Company and (or) its head is made responsible for criminal (civil, disciplinary, etc.) offence -– a catastrophe.
4. Licenses suspension or revocation for the company basic activity – closer to catastrophe in the current situation.
attack – check by CEA
With regard to newness and interest for regulator and the possibility of initiation from the outside (an application), the probability that the attack will be conducted in 2010 could be taken equal to 1.
For more detailed calculations by regions and business brunches the following statistics could be used:
Totally, we have (worse case scenario):
Risk = (the value of business) x (1) = (the value of business)
That is: there is a problem, and you have to solve it.
PS. There is no need to make far-reaching conclusions. It‘s just a funny story. We didn't sell FL-152 consulting :)