IT Compliance

Nov. 17, 2009
Getting your arms around the beast

If you are like most people in business today, you are up to your eyeballs with “compliance” requirements. Sarbanes-Oxley, GLBA and HIPAA might not have been too bad, assuming they even affected your organization at all. But now there is PCI DSS, the HITECH Act, FTC Red Flags and breach notification rules, and the dozens of state breach notification laws on top of everything else.

With all this recent government and industry intrusion into the free market, you would think it is next to impossible to get things under control. Well, it is that way for many organizations. But it is not the mere existence of these laws and regulations that are bringing people down — it is typically how people are handling them that is causing the problems.

Being an outside consultant, it is easy for me to make recommendations to clients and be done with it. Not having to get caught up in the day-to-day grunt work and political barriers is indeed an advantage. But I see something related to security and privacy compliance that is consistent in all types of businesses regardless of their industry and size — it is people duplicating efforts trying to address each of the laws and regulations on a case-by-case basis. For instance, they will spend good time and money tackling HIPAA. Once they have gotten it under control, they will start over with GLBA and then on to PCI DSS. Next, they will sort out all the state breach notification laws, and on and on. This approach certainly keeps people busy and may be good for job security, but it is very costly and completely inefficient.

If you feel like your organization is spending too much time on compliance for the sake of compliance, here’s what you can do to truly get your arms around this beast:

Make Compliance a Team Effort

If you are going to get things under control, the first thing you need to do is assemble a team of stakeholders into a security committee (or whatever you want to call it). This will likely be legal, HR, marketing, operations, internal audit, IT and at least one member of executive management. Every business is different. You will have to find out who is going to be able to effect the most change. Obviously, forming such a committee will require the backing of management. None of what I am writing about is sustainable without management’s support. But that is for another discussion.

Be careful with the size of your security committee. Anywhere from five to seven people with one person serving as the leader is plenty enough. Interestingly, I have seen so-called security committees like this with 20-30 people in them. They were not only too big to get anything done, but they rarely addressed security and compliance. Instead, they focused on project management, change management and other tactical issues that did not address the big picture with security.

Use your security committee to not only set and enforce policies, but also to engage your employees. One of the best things any organization can do to minimize information risks is to keep privacy and security on the top of employees’ minds. Rather than pushing “compliance” on everyone, talk about how your business is taking things up a notch and improving its privacy and security efforts all for the greater good of the business.

Know What You Are Up Against

You absolutely have to understand the laws and regulations that affect your business. It sounds trite, but I talk with a lot of people — often the very people in charge of compliance — who are not aware of regulations such as PCI DSS, the state breach notification laws and the recent HITECH Act. You also have to understand business partner and customer requirements and even your own internal policies — it is all related to “compliance.” Once you understand the specific requirements of these laws and regulations, you will see that they are basically all the same. That’s the beauty of this — you can address information security and manage risks at a higher level and, with a few exceptions, end up complying with everything across the board.

This leads me to another point. What exactly does compliance mean? Perhaps a good exercise is to sit down with your committee and define compliance and how it fits into the context of your business so you will know what to focus on. In a nutshell, compliance is about doing business within a set of boundaries — in this case, the boundaries are all the requirements of these laws and regulations your business is up against. Make sure everyone is on the same page with this.

If needed, get some of your IT and security product vendors involved. They often have expertise that can help you map out what you are up against; however, do not rely on their marketing hype alone. Rather, get them in on your discussions and talk about how their products can help take the pain out of managing compliance, especially in the area of automation.

Understand What is at Risk

Arguably the greatest oversight related to information risk is people not understanding which sensitive information is where and how it is currently at risk. This is something easily determined by an information risk assessment. Unfortunately, too many people rely on the word of their network administrators or the findings from some high-level checklist audit. That is not enough. You have to dig into your computers, your applications and your IT operations with a malicious mindset using good tools and techniques to find out what really matters. It is OK to start small with a security “review,” but you must eventually leave no stone unturned.

Focus on sensitive information and the problems surrounding it that are both urgent (have to fix it now because it is directly exploitable) and important (we ca not afford for this system to be offline). If you do it right, your risk assessment will show you exactly where you need to focus your efforts and your budget.

Do not re-create the wheel. There’s no need to start from scratch developing a risk framework — it has already been done for you. If you leverage existing standards such as ISO/IEC 27001 and 27002, COBIT and COSO, you can create an overarching framework that applies to every single compliance situation now and in the future.

Automate Where Possible

Static policies, plans and controls are one thing, but automation is going to be the key to effective information risk management down the road. There is just too much to keep up with otherwise. Look at how can you improve information security-related processes to simplify things. If you have the right tools, you will be on top of things rather than having to constantly react. You will know how things are working rather than wondering if things are working.

However, before you go out and buy expensive tools, make sure you are using what you already have to its fullest extent. The “free” controls built into to today’s operating systems and applications can satisfy numerous compliance requirements — that is, if they are being used. Just know that no control, no managed service and no product you can buy is ever going to automatically make you compliant. Neither compliance nor security comes right out of a box.

Ongoing Security Assessments

Security is not a one-time deal and neither is compliance. They are as much a mindset and a culture as anything else — something that has to be nurtured now and moving forward. Time and again, business executives, IT directors and compliance managers will claim their information systems are secure or “compliant” because they had a vulnerability scan last year and everything checked out. If information security were that simple, I and many, many other security professionals would be out of work.

Trust, but verify. Make sure that the right type of testing has been done and is being done on a periodic basis. I can guarantee you that systems (Web applications, network devices, etc.) that have only been scanned once and were subsequently deemed “secure” are security breaches in the making. Things change — you have to be consistent with this. Also, do not forget about the operational side of security. Things like patch management, change management, development processes, documentation reviews and so on. It is often this soft side of the equation that prevents any reasonable semblance of compliance.

Getting Past This Stage

Whether all “compliance” as we know it is beneficial for business and consumers is indeed an area for lengthy debate. One thing is for sure: Information security is an issue that can make or break your business — so it cannot be ignored. If you focus your information security efforts on process, policy and people, you will eliminate 95 percent of your business risks.

Getting your compliance initiatives in order is more than just kowtowing to an auditor or falling in line with what a bigwig legislator thinks is best. Furthermore, there is no need to worry about all the differing opinions on how to comply with a specific law or regulation. It is about bringing time perspective into the situation and doing what’s best for your business long term.

Albert Einstein once said, “You can’t solve a problem on the same level that it was created. You have to rise above it to the next level.” Rising above the compliance noise and seeing the bigger picture does just that. Think of information security as a means for managing business risks and compliance as a nice side-effect. Outline how specific security controls that satisfy specific compliance requirements meet specific business needs. That’s the formula for making all this work.

It may seem impossible to stay in line with all of the information security laws and regulations while at the same time reducing business risks and keeping compliance costs to a minimum, but it can be done. It is all in your approach. ?

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Principle Logic LLC, where he specializes in performing independent information security assessments. He has authored/co-authored seven books including “Hacking for Dummies,” “Hacking Wireless Networks for Dummies,” and “Securing the Mobile Enterprise and Laptop Encryption for Dummies” (Wiley). He is also the creator of the “Security On Wheels” information security audio books and blog providing security learning for IT professionals on the go. He can be reached at [email protected].