Automating Compliance

As this article took shape, storage firm Iron Mountain lost backup tapes containing the personal records of 600,000 past and present Time Warner employees, and DSW announced that hackers had infiltrated its database, accessing personal information from 1.4 million credit and debit cards. In the past six months, George Mason University, the Las Vegas DMV, SAIC, Bank of America, Boston College and LexisNexis all admitted to security breaches that resulted in the theft of names, addresses and Social Security and driver’s license numbers. ChoicePoint, a data broker, was tricked into selling more than 145,000 records to fraud artists.

There appears to be a serious problem in how companies protect people’s personal data. There were 9.3 million identity theft victims in 2004, and those thefts cost the economy $52.6 billion. Data privacy is a growing issue that crosses application databases, operating environments and platforms.

To buck this trend, the United States has adopted federal privacy legislation, and individual states are adopting their own legislation as well. Consulting firms report increased business in their compliance areas, and numerous software solutions are appearing on the market. Using the appropriate tools, organizations should be able to automate their compliance management processes, effectively test their systems, and produce appropriate and complete documentation.

Privacy Legislation
The Gramm-Leach-Bliley Act (GLBA) limits financial institutions’ ability to disclose “non-public personal information” about customers to third parties. These institutions are required to tell customers how their privacy is being protected.

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare professionals and institutions to protect the security and integrity of patients’ private information. NIST Special Publication 800-66, the recently released guideline for implementing HIPAA, is aimed at organizations that must comply with both HIPAA and Federal Information Processing Standards (FIPS). It points out links between physical security, information security, and data assurance.

The Food and Drug Administration’s Code of Federal Regulations Article 21, Part 11 (FDA 21 CFR 11) requires all pharmaceutical, healthcare and food services and medical equipment manufacturing companies to preserve and secure information by establishing audit trails.

The Sarbanes-Oxley Act requires companies become more fiscally accountable.

Section 302 requires companies certify that the officer who signs periodic financial reports has reviewed and found the reports true and not misleading, that internal controls were established and maintained, and that the audit committee has been apprised of all significant deficiencies.

Section 404 requires companies to document and assess their control environments. This is believed to be the single most important piece of federal legislation on corporate governance, financial disclosure and public accounting since the U.S. securities laws of 1930s. The Fair and Accurate Credit Transactions (FACT) Act makes major changes to the Fair Credit Reporting Act (FCRA) to provide specific protections from fraud and identity theft. It requires merchants and credit agencies to tighten their systems for handling consumer fraud complaints and for protecting sensitive information from unauthorized disclosure.

The USA Patriot Act requires that financial institutions verify new accountholder identification, maintain information used for account verification, and cross-reference identities against federal terrorism lists. The legislation also makes businesses responsible for seeking, detecting and reporting computer trespasses.

Privacy regulations have been changing continually, and we expect additional legislation and changes. Visa and MasterCard are imposing new information security rules to avert identity theft. California and other states are passing additional state legislation. Clearly, compliance requirements will continue evolve, and to meet them, businesses will need funds, personnel and software.

Obstacles to Compliance
Though compliance to these pieces of legislation is mandatory, not everyone is meeting the requirements by deadline. For example, a January survey conducted by the Healthcare Information and Management Systems Society showed that only 18% of insurers were compliant with the HIPAA security rule at the time of the survey, and 74% of the insurers who were not yet in compliance expected to be compliant by the April 20 deadline. Those surveyed listed technology and process integration issues, time and budget constraints, and lack of understanding of how to implement the rules as major roadblocks to compliance.

According to Mehlam Shakir, founder, president and CEO of Incache, a provider of audit solutions, “The organizations being impacted the most [by privacy legislation] are ones that have paid the least attention to essential risk management policies and procedures. Becoming fully compliant with privacy and security regulations requires mobilization of resources at all levels of the enterprise. It requires senior management to understand the new laws, communicate the new policies and make sure controls get implemented at all levels of operations—business and IT. When dealing with hundreds of mission-critical/high-risk applications, it is truly a daunting job and an expensive proposition for enterprises. Since these regulations are driven by social needs, the risk of non-compliance far outweighs the implementation costs.”

“Most companies have found that in the rush to complete the Herculean task of documentation and testing to meet (SOx) Section 404 requirements, they overlooked developing a comprehensive strategy for ensuring ongoing cost-effective compliance processes,” said Michael J. Duffy, president and CEO of Sarbanes-Oxley software provider OpenPages. “In year two of the Sarbanes-Oxley era, companies that continue to take a tactical, manual approach to compliance will incur the same pain points—high audit costs, expensive consulting engagements and remedial work—as they did last year. There is a significant opportunity to reduce costs and increase efficiencies through automation.”

Automating Compliance
Brian E. McDonnell, president and CEO of RippleTech Inc., said, “Because HIPAA, or GLBA or SOX all require ‘control’ and protection of confidential information passing through computers, it is becoming absolutely critical that technology be leveraged now to keep up. Without the use of technology like RippleTech’s LogCaster, trying to control and secure the constant flow of new data being generated and tracked would be like trying to get ahead on a treadmill, while the speed gets systematically turned up. Companies are looking for ways to reduce the costs of compliance, including moving from their reliance on consultants. I would expect a huge drop in consulting fees in 2005, and a dramatic ‘spend’ shift to compliance technology, and the efficiencies that it brings,” McDonnell continued.

Kristin Lovejoy, CTO of Consul risk management, agreed, but stressed the importance of choosing the right compliance software solution. “Today the bulk of solutions marketed as providing compliance management capabilities tend to be focused on managing, measuring or reporting on component areas of operational concern as opposed to the complex interactions between these zones. Compliance management technologies are further sub-divided by a focus on security or performance. Emerging technologies are more holistic in nature, and are designed to focus on business operations as opposed to assets.”

Several products are available to address compliance from companies including Consul risk management, Incache, OpenPages, Optical Image Technology Inc. and RippleTech. Software solutions make compliance possible by allowing companies to automate their already defined compliance management processes, but remember: If a software package neglects key provisions of the regulations, the result may be large fines and even imprisonment of key executives of the organization. Companies must apply due diligence even when they employ solutions like these.

According to Christopher B. Karr, president of UberGuard Information Security Consulting LLC, “It’s been said that what is secure today is not secure tomorrow. History has proven this to be true time and time again. Technology is in a continual state of flux and consequently, so are the implemented compensating controls. To ensure that data is kept private, periodic re-assessments must be performed to re-establish the security baseline. Security policies should be periodically re-addressed and revised as necessary.”

D.E.Levine, CISSP, CFE, FBCI, CPS is a contributing editor to ST&D, co-author of several security books and can be can be reached by e-mail at