Complying with government regulations is fast becoming a big part of every IT department's mission, as more and more laws are passed that impose requirements for the handling of electronic data. Large or small, if your company belongs to a regulated industry such as healthcare or financial services or any publicly traded company, meeting federal and state (and sometimes local) requirements can take a big chunk of your time and budget. And it's not just those in the U.S. who fall under such regulations; Canada, the European Union and other entities also have laws governing data privacy, personal information protection and electronic documents.
Although the requirements themselves are the same, however, the compliance solution that works for a huge hospital chain or a national bank may not be the one that's most appropriate or cost effective for a small neighborhood clinic or a five-person tax preparation firm.
If your business is small, you don't want to overspend on a compliance solution (something that's easy to do when you aren't sure what you actually need and you're at the mercy of a pack of software salespeople who are trying to convince you that more is always better), but you do recognize that your small business will (you hope) grow, and you want a solution that will scale along with that growth.
If your business is already large, scalability is even more of an issue; you need a solution that's robust enough to handle multiple types of protected data that's collected and stored at multiple locations and may travel through a complex network system.
With hundreds of compliance consultants and software vendors competing for your business, how do you select a solution that meets your needs today and can be easily expanded as those needs change?
Understand regulatory requirements
The first step is to arm yourself with "just the facts" about the regulatory requirements that apply to your industry. There's plenty of FUD (Fear, Uncertainty and Doubt) out there regarding compliance issues, to the point that many company officials are in fear of having their companies shut down or even going to jail if they don't buy the most expensive compliance solution right now.
It's true that compliance is a serious matter, but you should seek information about what you need to do in order to comply from legal counsel, not from salespersons who have a commission at stake.
One problem is that the statutes tend to be somewhat vague in terms of exactly what you're required to do. For example, the Safeguards rule of the Gramm-Leach-Bliley (GLB) Act, a.k.a. the Financial Modernization Act of 1999) requires financial institutions to "identify risks to customer information and assess existing safeguards, implement safeguards that are needed to fill any gaps, and monitor the effectiveness of all safeguards."
It would be far simpler if requirements spelled out exactly what technological safeguards are to be implemented (for example, that all customer information stored on systems that are accessible via the network must be encrypted). However, you can see why that's not possible: technology changes at a rapid pace and new methods of intrusion and attack are developed on a daily basis. Even a simple requirement that data "be encrypted" doesn't ensure that it's secure if the encryption is a type that's easily cracked. For example, sending customer information across a wireless network could still subject it to interception and disclosure even if WEP encryption is used, because of WEP's known vulnerabilities.
Some regulations, such as HIPAA, are so complex that they've spawned fat books and certification courses. Others, such as Sarbanes-Oxley (SOX) are relatively new and compliance can be extremely expensive, especially for smaller companies.
In most cases, regulations require that the company appoint a person or team within the company to be responsible for compliance. Even when that's not the case, you should do so, and ensure that the selected person(s) gets the proper training in the specific regulations that apply to you.
Selecting a solution
The first step in planning your solution is to recognize that compliance involves more than a piece (or multiple pieces) of software. Compliance can significantly affect the way you do business. Any security plan, whether it's implemented because of government regulations or not, starts with the development of policies.
Next, you need to assess which systems are affected by compliance regulations. For example:
- Assess perimeter controls to ensure that regulated data is protected from intrusion or attack that could result in disclosure.
- Assess storage systems at the server level (access controls/permissions, strong authentication) to ensure that if an intruder does penetrate the network, he can't access the systems on which the protected data is stored.
- Assess disk and file level security (encryption) to ensure that if an intruder is able to access the server, he won't be able to read the information in the files.
- Assess communications applications (e-mail, instant messaging) to ensure that protected data can't be leaked in that way. This may require active monitoring, keyword filtering of outgoing traffic, and the like. You must also assess archiving policies to ensure the safety of stored messages.
If scalability is a priority, a modular solution may be the answer. This means security can be upgraded or capacity can be expanded at different levels independently. It may mean using different vendors' products to provide different levels of protection (i.e., firewall/perimeter, storage, server, communications).
Many companies offer "turnkey" compliance solutions that integrate with the company's existing network infrastructure. These are targeted toward specific industries; for example, last June Qumas announced a pre-configured compliance solution for pharmaceutical firms called PharmaQCompliance. It uses a subscription licensing model based on number of users. SenSage offers separate "out of the box" solutions designed to help companies comply with SOX or HIPAA.
Another option is to contract with a service that provides security by diverting your network traffic through their own networks. These managed security services can take a load off your network administrators' backs and offer protection against attack, managed firewall and VPN services, email security, encryption, etc. Compliance Solutions can provide a full outsourced compliance department.
Either way, a big question is whether the product or service is actually a compliance solution developed by software professionals or a software solution developed by compliance professionals. The ideal, of course, comes from a collaboration of the two.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.