It’s never going to be easy, but you can count on a few things: You will be responsible for determining which technology deployments meet which requirements, and it starts with an understanding of your business needs and organizational structure, not with technology itself. That’s the story for Kim Van Nostern, CISO at Allstate Insurance Co. The company’s Workplace Division sells insurance within businesses, which means it must manage some medical-related information relevant to HIPAA. And the company is a publicly traded company, which means SOX compliance is a necessity. The good news–such as it is–is that a given technology deployment might help with adherence to more than one regulation, Van Nostern says. “Every piece of legislation requires the same kind of controls, especially security controls,” she says.
That said, experts are quick to point out that none of the Big 3 regulations relevant to U.S.-based companies are explicit about the types of technologies firms should deploy to achieve compliance. in fact, prescriptive when it comes to technology, and IT security pros who dig deep into HIPAA might find recommendations related to authentication technology, for example.
But overall, when it comes to SOX, HIPAA and GLBA, deciding which applications to put in place–and which aren’t necessary–is something each organization must tackle on its own.
“If you look at Section 404 [of SOX], which is the section that sort of started it all, it says only that you have to have ‘effective business controls,'” says Diana Kelley, senior analyst at research firm The Burton Group. HIPAA doesn’t explicitly require firms to encrypt e-mail going to or from third-party partners, for example. Data-retention policies that include automatic deletion after the applicable retention regulations expire are important as well.
Mackey suggests organizations contain their regulatory compliance as narrowly as possible, worrying only about the systems and applications relevant to a particular regulation. For example, SOX, Mackey says, is essentially about financial reporting. He recommends trying to segregate internal systems so those related to financial reporting are cordoned off from systems that are irrelevant to SOX, such as company informational Web sites.
Obviously, core security functions, such as patch management, encryption, virus detection and firewalls, are critical and relevant to more than just one regulation. The investment company designed a process under which it evaluates its own business needs related to the services each partner provides. That’s the case at the Indiana University School of Medicine, which must comply with HIPAA across 36 separate departments that are part of the school.
Schmidt stresses the importance of building a “compliance foundation” that’s applicable across all elements of the school and doesn’t rely on any individual or group in order to remain viable as staff changes occur.
Prior to SOX, Paul says, immature IT shops might have let just any application designer go into a system and make changes. American Financial uses identity management to tightly control which developers can alter “systems of record,” such as actual operational systems. Paul also advises taking a risk-management-based approach to compliance.
The level of rigor that an organization should put in place–the number of preventive controls, for example–should be based directly on business risk. The first step in that process is risk analysis. “It’s got to be based on how the business operates and where the risks are,” Paul says. “I don’t have to put a big identity-management system in place for the Intranet that posts the weekly cafeteria menu.”
AARP, the advocacy group for senior citizens, isn’t explicitly required to conform to any regulations, but chooses to do so because it supports the spirit of the regulations, particularly the privacy of personal data. Suzanne Hall, director of IT operations and security at AARP, was recently nominated for an Information Security Executive of the Year award by the Executive Alliance, partly as a result of her compliance-related work and advocacy. “We benchmark ourselves against many of the regulations, and GLBA particularly. Our security program is based on corporate value and protecting our members’ privacy,” Hall says. “We take a unique approach to membership. We do not sell the AARP membership list.” In 2001, AARP performed a gap analysis against the requirements of GLBA, which is focused on the privacy of personal data. AARP improved privacy monitoring and network perimeter security, and IT security began reporting to the AARP board about the organization’s data-protection efforts on an annual basis.
The first is the availability and integrity of existing operational technologies. The hardening of servers and protection of the perimeter serve those ends.
Therefore, the thinking goes, any privacy protection failure on the part of AARP itself is unacceptable. Hall also places great emphasis on being able to document AARP’s compliance efforts through the gathering and reporting of security-related metrics designed by herself and her team.
SOX on Top Regulatory compliance/noncompliance issues ranked fifth in our 2004 Secure Enterprise Strategic Deployment Survey among methods for assessing risk, with just less than half of respondents saying they look at compliance before making security purchases. Last year, the leader was the Federal Privacy Act, followed by SOX.
Antivirus tools and other security software will always play a big role in compliance, especially for companies that hold the “two big species of data that matter now”–customer and financial data–but there’s no magic bullet, says Dave Stampley, general counsel and compliance specialist at IT consulting firm Neohapsis.
The magazine spoke with information security pros who’ve gotten a grip on compliance, and we found two key directives: First, team up with business execs and legal experts to analyze which data falls under regulatory purview.
http://www.compliancepipeline.com/showArticle.jhtml?articleID=178600385