Complying with government regulations is fast becoming a big
part of every IT department’s mission, as more and
more laws are passed that impose requirements for the handling of electronic
data. Large or small, if your company belongs to a regulated industry such as
healthcare or financial services or any publicly traded company, meeting
federal and state (and sometimes local) requirements can take a big chunk of
your time and budget. And it’s not just those in the U.S. who fall under such
regulations; Canada, the European Union and other entities also have laws
governing data privacy, personal information protection and electronic
Although the requirements themselves are the same, however,
the compliance solution that works for a huge hospital chain or a national bank
may not be the one that’s most appropriate or cost effective for a small
neighborhood clinic or a five-person tax preparation firm.
If your business is small, you don’t want to overspend on a
compliance solution (something that’s easy to do when you aren’t sure what you
actually need and you’re at the mercy of a pack of software salespeople who are
trying to convince you that more is always better), but you do recognize that
your small business will (you hope) grow, and you want a solution that will
scale along with that growth.
If your business is already large, scalability is even more
of an issue; you need a solution that’s robust enough to handle multiple types
of protected data that’s collected and stored at multiple locations and may
travel through a complex network system.
With hundreds of compliance consultants and software vendors
competing for your business, how do you select a solution that meets your needs
today and can be easily expanded as those needs change?
Understand regulatory requirements
The first step is to arm yourself with “just the facts”
about the regulatory requirements that apply to your industry. There’s plenty
of FUD (Fear, Uncertainty and Doubt) out there regarding compliance issues, to
the point that many company officials are in fear of having their companies
shut down or even going to jail if they don’t buy the most expensive compliance
solution right now.
It’s true that compliance is a serious matter, but you
should seek information about what you need to do in order to comply from legal
counsel, not from salespersons who have a commission at stake.
One problem is that the statutes tend to be somewhat vague
in terms of exactly what you’re required to do. For example, the Safeguards
rule of the Gramm-Leach-Bliley (GLB) Act, a.k.a. the
Financial Modernization Act of 1999) requires financial institutions to
“identify risks to customer information and assess existing safeguards,
implement safeguards that are needed to fill any gaps, and monitor the
effectiveness of all safeguards.”
It would be far simpler if requirements spelled out exactly
what technological safeguards are to be implemented (for example, that all
customer information stored on systems that are accessible via the network must
be encrypted). However, you can see why that’s not possible: technology changes
at a rapid pace and new methods of intrusion and attack are developed on a
daily basis. Even a simple requirement that data “be encrypted”
doesn’t ensure that it’s secure if the encryption is a type that’s easily
cracked. For example, sending customer information across a wireless network
could still subject it to interception and disclosure even if WEP encryption is
used, because of WEP’s known vulnerabilities.
Some regulations, such as HIPAA, are so complex that they’ve
spawned fat books and certification courses. Others, such as Sarbanes-Oxley (SOX) are relatively new and compliance can
be extremely expensive, especially for smaller companies.
In most cases, regulations require that the company appoint
a person or team within the company to be responsible for compliance. Even when
that’s not the case, you should do so, and ensure that the selected person(s)
gets the proper training in the specific regulations that apply to you.
Selecting a solution
The first step in planning your solution is to recognize
that compliance involves more than a piece (or multiple pieces) of software.
Compliance can significantly affect the way you do business. Any security plan,
whether it’s implemented because of government regulations or not, starts with
the development of policies.
Next, you need to assess which systems are affected by
compliance regulations. For example:
perimeter controls to ensure that regulated data is protected from
intrusion or attack that could result in disclosure.
storage systems at the server level (access controls/permissions, strong
authentication) to ensure that if an intruder does penetrate the network,
he can’t access the systems on which the protected data is stored.
disk and file level security (encryption) to ensure that if an intruder is
able to access the server, he won’t be able to read the information in the
communications applications (e-mail, instant messaging) to ensure that
protected data can’t be leaked in that way. This may require active
monitoring, keyword filtering of outgoing traffic, and the like. You must
also assess archiving policies to ensure the safety of stored messages.
If scalability is a priority, a modular solution may be the
answer. This means security can be upgraded or capacity can be expanded at
different levels independently. It may mean using different vendors’ products
to provide different levels of protection (i.e., firewall/perimeter, storage,
Many companies offer “turnkey” compliance solutions
that integrate with the company’s existing network infrastructure. These are
targeted toward specific industries; for example, last June Qumas
announced a pre-configured compliance solution for pharmaceutical firms called PharmaQCompliance. It uses a subscription licensing model
based on number of users. SenSage
offers separate “out of the box” solutions designed to help companies comply
with SOX or HIPAA.
Another option is to contract with a service that provides
security by diverting your network traffic through their own
networks. These managed security services can take a load off your network
administrators’ backs and offer protection against attack, managed firewall and
VPN services, email security, encryption, etc. Compliance Solutions can provide
a full outsourced compliance department.
Either way, a big question is whether the product or service
is actually a compliance solution developed by software professionals or a
software solution developed by compliance professionals. The ideal, of course,
comes from a collaboration of the two.