Are you caught up in the sea of information privacy and security regulations? Or, seemingly as bad, are you swimming in the ocean of vendor compliance products trying to figure out which life raft is best suited to keep your organization afloat? If so, join the crowd — it is growing larger every year.
When it comes to HIPAA, GLBA or the “regulation of the month,” it is one thing to be "compliant," but it is quite another for all your money, time, and effort to be spent wisely to ensure that your business goals are actually being met and properly managed. Applications that automate and ease the pain of security administration can play a large role in this process.
Information security success is directly proportional to the quality of the tools you use. But compliance tools aren't the “compliance in a box” solution that they sometimes appear to be — there are both pros and cons. Here's what you need to know before you spend another dime.
Options and Benefits Abound
Compliance is not a one-time deal — it is a mindset and mode of operation. It is also a matter of balancing what someone else says you have to do with what actually needs to be done inside your business. To keep up with the many compliance updates — from analyzing overall risks to controlling who can do what on the network to rooting out security vulnerabilities on an ongoing basis — you need good tools.
There are hundreds if not thousands of compliance products waiting to help you lock down every nook and cranny of your network. Whether a small non-profit or a global corporation, there is a tool out there for all of your compliance needs:
AMR research estimates that organizations will spend nearly $30 billion on governance, risk management and compliance — a large part of which involves the types of privacy and security tools listed.
Not only are the options plentiful, but so are the business benefits behind them. Compliance tools provide value by helping to enforce the very policies intended to keep you compliant. They can also be used to manage multiple compliance requirements concurrently, instead of using one tool to manage one set of systems for one regulation, and so on. Many of the tools — especially the ones for configuration, policy and access management — can be used to implement and enforce high-level compliance requirements. They also come pre-packaged with helpful policy and reporting templates. All of this can drastically ease the burden of managing a half-dozen or more IT-related regulations.
Beware of the Marketing Machine
With all the positive aspects associated with compliance tools, there are still a few negative aspects. For starters, it seems that every vendor has a compliance “pitch” — just because a vendor says its tool is for compliance management or helps you comply with certain regulations does not necessarily mean it is ready to do so. For all you know, a software developer or product manager with no regulatory compliance expertise may have built in a generic report template that simply says “HIPAA Compliance Report” across the top without actually delving into any aspects of the HIPAA security rule — the same goes for SOX, PCI and CA SB1386. These added “features” often translate into a higher price tag with no real competitive differentiation or value added for the end-user.
When evaluating compliance tools, ask prospective vendors the following questions:
1. What does your product do that is specific to my needs?
2. How does your tool help with audit logging and documentation requirements for regulations such as SOX or GLBA?
3. How does your product help me with real-time audits when I need to determine current level of compliance?
4. What preset regulatory policies, rules and report templates are included?
5. Can you provide references of similar organizations in my industry?
You want to look for succinct answers that explain how the tool is going to help you close the loop on your ongoing compliance processes.
Remember, compliance does not “come in a box” — purchasing and using compliance tools is only a part of the investment. It may be a vital one, but it is only part of the overall solution.
Where Do You Start?
With so many options on getting compliance in check, it is easy to get overwhelmed. Whether you think you need configuration management, vulnerability management or encryption tools, you must step back and examine what you are trying to accomplish: What regulations do you have to comply with? What information are you trying to protect?
The only way to determine this is to perform a risk analysis. You can even buy a tool to do this. The ISO/IEC 17799:2005 framework (www.iso.org) is great place to start, and the NIST Special Publication 800-30 titled Risk Management Guide for Information Technology Systems is a good — and free — place to start as well.
The results of the risk analysis will indicate where to prioritize the organization's efforts and your budget. You may find that only one new technology is needed to get things on track; on the other hand, you may have a mess. A simple and inexpensive option is to use all the free and built-in technical controls already in place for your network and systems that manage sensitive information — including authentication mechanisms, access controls, logging systems, etc. The only drawback to these built-in controls is that they often do not scale well and can become hard to manage.
There's no hard and steady rule as to what and how many compliance tools it takes to become and stay compliant. Everything depends on your environment, culture, politics and internal skill sets. Mix and match technologies where it makes technical and business sense — just remember, when using technologies to help with compliance, less is more. With fewer applications to manage and tools to run the system will be less complex and will take less effort to maintain. This means fewer errors, clearer insight and improved oversight.
Whether all this regulatory compliance is beneficial for business and consumers is indeed an area for lengthy debate. One thing is certain: You do not want to end up on the business-end of the enforcement arm when something happens. Better to achieve at least some semblance of compliance with a good set of tools. Do your research and buy smart.
3 Quick Steps for Compliance Tool Success
1. Get management on board: One of your greatest hurdles in acquiring good tools for improved regulatory compliance is trying to convince management that it is a good investment. This will not happen overnight. If you force the issue, you will set yourself up for failure. Get involved, establish your credibility and show how these tools can help with compliance and how compliance can benefit the organization.
2. Get others involved: Contrary to popular — and often forced — practice, information privacy and security regulatory compliance is not the sole responsibility of the IT and/or security departments. Compliance is an issue that affects practically every aspect of the business. Form a compliance committee if your organization does not already have one. Bring in key people from HR, legal, risk management and operations to help drive regulatory compliance initiatives and decision-making processes. A committee will not only help with compliance visibility but also with budgeting when the time comes to purchase good tools.
3. Focus on the urgent and important: When performing a risk analysis, look for ways that compliance tools can help you get rid of the low-hanging fruit that's creating all the problems. That is, determine what's “urgent” — what can be exploited now and is in dire need of help — and what's “important,” such as systems that house or process sensitive and regulated information. Focus your effort, time and money on the “ vital few” rather than the “ trivial many.” This process, used over and over, will help you “close the loop” in your ongoing compliance requirements.
HIPAA: The Health Insurance Portability and Accountability Act was enacted by U.S. Congress in 1996. Title II of HIPAA, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers. The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
GLBA: The Gramm-Leach-Bliley Act is designed to protect the private financial information of consumers. The law instructs financial institutions to secure and protect private information from unauthorized use or access and updates the practice and policies for individual consumers to control the use of such data. GLBA was signed into law in 1999 with full compliance required by July 1, 2001.
SOX: On July 30, 2002, the Sarbanes-Oxley Act of 2002 was signed into federal law. The purpose of the law is "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes.” The effect of the law is sweeping, long-term changes in the way publicly traded companies manage auditors, financial reporting, executive responsibility and internal controls.
PCI: The Payment Card Industry (PCI) Security Standards Council was formed in September 2006 by a group of five payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. The council released version 1.1 of the PCI standard, which applies to all payment card network members, merchants and service providers that store, process or transmit cardholder data, and affect all payment channels, including retail (brick-and-mortar), mail/telephone order and e-commerce. The core requirements: Build and maintain a secure network; protect cardholder data; maintain a vulnerability management program; implement strong access control; monitor and test networks; and maintain an information security policy.
CA SB1386: The California Information Practice Act, or Senate Bill 1386 , went into effect in July of 2003, requires companies that own or have access to personal information of California residents to notify them if their data have (or may have) been accessed illegally.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around IT compliance. Kevin has authored/co-authored six books on information security. He's also the creator and producer of Security On Wheels - security learning for IT professionals on the go. Reach him at firstname.lastname@example.org.