New security risks, along with increased demands for accountability, are changing the compliance picture. IT risk management and compliance expert Joe Degidio recently discussed the compliance landscape and the issues that organizations must understand and address.

Joe Degidio, Compliance Principal for Fulcrum-Meade Consulting, has been working in the information technology industry since 1982. For the last eight of those years, he’s been focused on the area of governance, risk, and compliance (GRC). When he started, he says, compliance standards as we know them today did not exist. The ISO (International Standards Organization) and COBIT (Control Objectives for IT) organizations both came out with their foundational documents for compliance, the 9000 and v3 versions, in the year 2000. These began to provide a framework for fundamental security in business computing. From there, standards began to develop within specific areas, like the Electronic Protected Health Information Act and Sarbanes-Oxley. Most of what was in the original ISO 17799 standard is still relevant but has been further expanded upon, particularly in the “separation of duties.”

Today, Joe’s concentration is on PCI (payment card industry) and HIPAA (healthcare) personal information protection and data-loss protection policies. I asked him to talk about some of the key pieces of compliance that need to be generally understood, as well as how the current compliance picture is changing with the new risks of ubiquitous access and the need for up-to-the-minute accountability.

Note: This article is also available as a PDF download.

1. Jeff: Let’s talk about definitions first. It used to be that security was much more subjective, and companies had an implied responsibility to develop internal measures based on their own specific needs. Now that we have this more objective understanding of security, what is the relationship between compliance and governance?
Joe: That’s a good place to start. Gartner recently came out with a specific definition of the governance, compliance, and risk areas after some lengthy machinations, and here’s how they break it down. Governance covers all the laws and prescriptive controls that are needed in an organization. Compliance covers the steps a company chooses to take to conform to governance in any variety of ways. Risk is the set of potential steps an organization elects not to take at a given time. So there is still a measure of priorities and interpretation, but the expectations have become more standardized.
2. Jeff: To put those all in perspective within the grand scheme of things, is there a recent milestone or development like Web 2.0 or the cloud or social media that you can identify as a point when there was a sea change in the compliance area?
Joe: Well, Web 2.0 is certainly one of those ongoing developments. But one that’s even more current right now is the number of employees being laid off or potentially being terminated for one reason or another. Every security officer at these downsizing companies should be concerned with who has access to what data and how and when. I know of one employee who found out he was going to be let go and decided to send a bunch of CAD/CAM drawings off to an address in China. Fortunately, the e-mail software picked up on the .CN and stopped it in the e-mail gateway.

With Web 2.0, on the other hand, the real issue is that the collaboration sites can’t be trusted at a business level. It’s easy for malware or botnets to attach themselves to a browser and infect the network. The answer for most companies is just to make them verboten, but for those who do see the business value, what needs to be created is a “socialization zone” using something like Citrix or VMware outside the DMZ. This requires special authentication rights, one-way traffic, and a “wipe-clean” OS, like the Citrix “streaming OS” that rewrites itself every day. I have customers who are doing it successfully. It creates some minor limitations within the environment, but it satisfies the requirements of the business.

3. Jeff: Is security more of a problem in an IT company where people are tech-savvy? For example, are those being laid off at GM going to be less likely to have an 8-gigabyte card in their pocket or a terabyte drive in their briefcase than, say, someone at Sun or Yahoo?
Joe: No, I wouldn’t make that assumption at all. What I’m seeing is that regardless of what company you’re talking about, intellectual property information is so readily available that anyone who is smart enough can get to it. The key issue is that most businesses still don’t classify their data and they don’t track who has downloaded what.

Data classification is one of the first things we do when we go into a company to address data loss protection. Most companies are paying way too much attention to their datacenters and firewalls, making sure that sensitive information is behind the firewall and not in the DMZ. Those things are important, but they could spend half the amount of time on data classification in terms of a risk profile and be much better off. Ironically, one of the first things that gets scrutinized in a budget is the ability to protect the organization against a data loss. The truth is that if it does get out, in terms of board-level culpability, it’s the single area that can hurt an organization the most.

4. Jeff: What kind of misperception is making executives think data loss protection should be classified in the discretionary category?
Joe: It’s a budget-item perception. Let’s face it: Executives are very good at budgeting money toward commodities. People want more disks, more SAP licenses, more Oracle licenses, which are all needed and important to the business. But they are not as likely to say, “We really need to focus some resources on this area of classifying and protecting our data.”
5. Jeff: If you had to pick three things that an executive in any industry should be paying attention to in terms of compliance, what would they be?
Joe: Number one is having a Web 2.0 strategy in place. That includes everything from HR policies down to what Web sites you can or can’t access and how you can collaborate, and making sure all that is being monitored.

The next thing is intellectual property protection. Here’s a hypothetical example. Let’s say a bakery has a particular recipe that is sacred to the company. The executive team believes the recipe is well protected and the guys in IT assure them it is. Then one day, they put a linguistic analyzer on the network and discover the recipe is all over the place in different variations and so on. Now how do they find out what happened if it was just a matter of attaching it to an e-mail and sending it? Avoiding this kind of situation means taking a few simple steps to encrypt it, classify it, and monitor who has it. Companies like Bit Armor and Verisoft can keep track of where it is and who has it and stop it in the system. The linguistics of the information are analyzed and recognized when it’s being edited or transmitted. Sort of like the g-mail application that recognizes when the word “attachment” is in your message and prompts you nothing is attached yet. A simple version of this is used in spam filters as well.

Finally, I would say there is a need to get this kind of policy openly in place and make a big splash about it. Make it something people can put confidence in. Especially if you’re a service provider, you need to establish to everyone you work with that you take the responsibility for safeguarding their data seriously.

6. Jeff: What’s the most important thing to say in communicating that?
Joe: The most important statement is that the information is in a protected environment and audited by a third party. In some cases, you might include the standard you are using for your audits and possibly even mention that an audit report is available on request.
7. Jeff: In the next three to five years, what should people get on their radar in terms of compliance?
Joe: One is more prescriptive governance in terms of controls, like the payment card industry standard, which works surprisingly well. I don’t know why there is a reluctance to develop specifics around, “this is what you have to do to be compliant.” A proposal was brought in front of the California legislature toward establishing a minimum requirement for standards, but it was shot down. Actually, that may not have been all bad, because what you don’t want is this nanny-state where the government is monitoring you constantly. It would be better if we could agree as an industry on a self-imposed standard. I do expect more organizations over the next five years to say, “If we are going to do business, here is what we expect.” The Society of Auditing Standards has put out SAS-70, which is a step in that direction. But honestly all it does is confirm that controls are in place; it doesn’t tell you how strong the controls are.
8. Jeff: Is there a difference in the eyes of the law in terms of liability with an external breach like a hacker vs. an internal compromise from an employee? It’s malicious either way, but is there less liability if the information is taken from within the company?
Joe: The court is going to find them liable either way. I’m not a judge, but in the cases I’ve seen, that really doesn’t become relevant. Let’s say I’m doing a study on a 401K contribution plan for a large company and I’ve got a lot of information downloaded on my laptop and it gets stolen from my car. Does it make a difference if it was in the back seat or in my trunk? Not really. But if it was encrypted or can be disabled there is no need to even report a security breach. As long as it’s been backed up, I’m just out the cost of the hardware.
9. Jeff: What about geographic differences? Do you see regional or cultural perceptions around the area of governance?
Joe: Absolutely; you wouldn’t believe it. The degree of regional difference is amazing. When you go to the coasts, they look at IT governance as an outward-facing strategy to protect the brand. The concern is around data being lost that could affect the brand, and IT governance is based on putting controls in place to limit that. They are fanatical about this. It’s one of the places where IT is automatically perceived as playing a strategic, pivotal role in the business.

In the Midwest, it’s not that way. The focus of governance is immediately inward. “How can we govern ourselves better and run our projects better?” I don’t know why, but the coasts are the technology bellwethers, and that may not be limited to governance. Ironically, being more conservative should lead to a greater emphasis on governance.

10. Jeff: That’s a fascinating observation. I’m sure that plays a central part in the way you differentiate between your customers and prospects. To wrap things up, can you point to a common theme that comes up in your recommendations?
Joe: It would have to be in the classifying of corporate assets. That’s an easy area to see immediate value for most companies. A lot of vendors will try to persuade you there’s a data-loss protection solution you can install, along the lines of an anti-virus or intrusion-detection system. But there is no panacea like that here. It’s a series of processes across many areas of an organization that first involves identifying and then controlling. Most of the veteran IT executives I talk to understand that and believe in governance, so the question becomes how to do it most effectively. In that sense, my job is easy as long as I can stay on top of the developments in the shifting landscape we’ve been talking about here.