Searching for products that will help satisfy government regulations? Many vendors claim to have all the answers, but just try to find a marketing rep willing to get into specifics about how the technology maps to particular elements of Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act, and Sarbanes-Oxley.
In the end, assessing your organization's compliance needs must be done in-house. It's never going to be easy, but information security professionals can count on a few things: You'll be responsible for determining which technology deployments meet which requirements, and it starts with an understanding of your business needs and organizational structure, not with technology itself.
Compliance means tough security, Allstate's Van Nostern says.
Photo by Jeff Sciortino
The good news--such as it is--is that a given technology deployment might help with adherence to more than one regulation, Van Nostern says. The bottom line is tough security. "Every piece of legislation requires the same kind of controls, especially security controls," she says. "They require you to have a robust security environment. Each of them requires similar things, they just put a different kind of filter on them."
That said, experts are quick to point out that none of the Big 3 regulations is explicit about the types of technologies companies should deploy to achieve compliance. Some regulations, such as the EU Data Directive, are, in fact, prescriptive when it comes to technology, and IT security pros who dig deep into HIPAA might find recommendations related to authentication technology, for example. But overall, when it comes to Sarbox, HIPAA, and Gramm-Leach-Bliley, deciding which applications to put in place and which aren't necessary is something each organization must tackle on its own.
"If you look at section 404 [of Sarbanes-Oxley], the section that sort of started it all, it says only that you have to have 'effective business controls,'" says Diana Kelley, senior analyst at the Burton Group. "But how you interpret 404 down on the bits and bytes level is where you're going to find different interpretations of how to achieve compliance."
Kelley recommends you first determine which systems and applications are necessary for the business to continue running. This exercise helps organizations find their vulnerabilities. A financial-services firm, for instance, must get a handle on its risks when it exchanges data with other banks or the Federal Reserve. Only business-side executives are going to have a true grasp of which applications are critical to operations, and security staff will do well to turn to those individuals first, even before bringing on an audit team, Kelley says.
"That's the key: understanding your business," Kelley says. "Do that first. Then you can figure out what your risks are, what your vulnerabilities are."
Allstate had its legal officers, privacy officers, and CISO Van Nostern review each regulation in detail and then work together to formulate steps the company should take to achieve compliance. Eventually, that process came down to specific technologies. HIPAA doesn't explicitly require firms to encrypt E-mail going to or from third-party partners, for example. But Allstate decided compliance required doing so when E-mails contained medical data. And the same technology can help secure credit-card or financial information that isn't relevant to HIPAA but is germane to other regulations. Technologies that audit or log security events, or those that manage access control, can apply to more than one regulation as well. With most regulations, even those beyond Sarbox, HIPAA, and Gramm-Leach-Bliley, document retention plays a role.