Take technology out of your security policies to maintain compliance

Are you tired about wondering whether your organization is compliant with all the regulations that affect it? Mike Mullins has a rather unorthodox suggestion: Take the technology out of your policies. See why Mike says doing this will make it easier to address compliance in your company.

As the U.S. government continues to impose more and more regulations on businesses, compliance has become an increasingly sticky issue for many companies. Most legislation — including the Children's Online Privacy Protection Act, the Electronic Signatures in Global and National Commerce Act, the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Federal Information Security Management Act (FISMA), to name a few — all have a universal theme: They require companies to securely configure and control their network infrastructure.

Many organizations approach compliance from the wrong angle. They make the mistake of looking at the multitude of regulations and trying to decide: Are we compliant?

But that's not the right question. What companies really need to be asking is: Are our policies compliant, and do we follow our policies? Stop chasing compliance by implementing new security technologies, security devices, and/or security controls; instead, address the issue where it belongs — in your security policies.

Where to start

The first step is to understand that policies are a blend of your corporate and compliance requirements and legal obligations. A policy isn't a technological review — it's a compliance and legal guideline that addresses corporate requirements.

That's why you shouldn't create policies based on technology. Technology changes faster than you can modify your policies.

For example, don't say, "We must secure files containing customer information using file security and encryption." Instead, create a policy that states, "We must secure customer information so that only authorized individuals can view or modify it."

By changing the wording in this one sentence, you've made a huge difference. You've covered access permissions, both electronic and hard copy security, storage security, and the transmission of that information internal and external to your business environment.

Where this leads

It may seem counterproductive, but taking the technology out of your policies can help maintain compliance. You can use the policies to specify business goals while meeting legal requirements, and you can then use the policies to address the different areas of compliance.

One of the most troublesome areas of compliance is often auditing. Auditing can mean several different things depending on who you ask to define it. For example, an accountant and a firewall administrator will give you two completely different definitions. However, your policies must address both areas.

Don't write an IT security auditing policy that states, "Retain all electronic logs that contain records of system or file access for a period of three years" — you don't need to be that specific. Your overall security policy should state, "Retain records of all authorized and unauthorized access to business resources, systems, and processes." You've taken technology out of your policy and addressed compliance as an overall business process.

Final thoughts

Chasing compliance with changes to your network and new technology is a losing battle. The IT pros who manage the protection of your network are usually a sharp bunch. If you give them broad policies that address your corporate requirements, they'll use those policies to set security standards for your infrastructure — and enforce those standards through network compliance management. As long as your policy is up to date, your days of wondering Are we compliant? are over.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks