Messaging Pipeline | Security
Free Newsletter GlossaryContact UsAbout Us
One To One Collaboration Servers & Security Business

February 20, 2006

Quest For Compliance

Courtesy of

Page 1 of 5

Searching for products that will help satisfy government regulations? Many vendors claim to have all the answers, but just try to find a marketing rep willing to get into specifics about how the technology maps to particular elements of Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act, and Sarbanes-Oxley.

In the end, assessing your organization's compliance needs must be done in-house. It's never going to be easy, but information security professionals can count on a few things: You'll be responsible for determining which technology deployments meet which requirements, and it starts with an understanding of your business needs and organizational structure, not with technology itself.

Compliance means tough security, Allstate's Van Nostern says.

Compliance means tough security, Allstate's Van Nostern says.

Photo by Jeff Sciortino
If you think you know how difficult regulatory compliance can be, try being a chief information security officer from a company that must adhere to the Big 3: Sarbox, HIPAA, and Gramm-Leach-Bliley. That's the story for Kim Van Nostern, CISO at Allstate Insurance. The company's workplace division sells insurance within businesses, which means it must manage some medical-related information relevant to HIPAA. As a financial-services firm, All-state must conform to Gramm-Leach-Bliley. And the company is publicly traded, which means Sarbox compliance is a must.

The good news--such as it is--is that a given technology deployment might help with adherence to more than one regulation, Van Nostern says. The bottom line is tough security. "Every piece of legislation requires the same kind of controls, especially security controls," she says. "They require you to have a robust security environment. Each of them requires similar things, they just put a different kind of filter on them."

That said, experts are quick to point out that none of the Big 3 regulations is explicit about the types of technologies companies should deploy to achieve compliance. Some regulations, such as the EU Data Directive, are, in fact, prescriptive when it comes to technology, and IT security pros who dig deep into HIPAA might find recommendations related to authentication technology, for example. But overall, when it comes to Sarbox, HIPAA, and Gramm-Leach-Bliley, deciding which applications to put in place and which aren't necessary is something each organization must tackle on its own.

"If you look at section 404 [of Sarbanes-Oxley], the section that sort of started it all, it says only that you have to have 'effective business controls,'" says Diana Kelley, senior analyst at the Burton Group. "But how you interpret 404 down on the bits and bytes level is where you're going to find different interpretations of how to achieve compliance."

Kelley recommends you first determine which systems and applications are necessary for the business to continue running. This exercise helps organizations find their vulnerabilities. A financial-services firm, for instance, must get a handle on its risks when it exchanges data with other banks or the Federal Reserve. Only business-side executives are going to have a true grasp of which applications are critical to operations, and security staff will do well to turn to those individuals first, even before bringing on an audit team, Kelley says.

"That's the key: understanding your business," Kelley says. "Do that first. Then you can figure out what your risks are, what your vulnerabilities are."

Allstate's Handiwork

Allstate had its legal officers, privacy officers, and CISO Van Nostern review each regulation in detail and then work together to formulate steps the company should take to achieve compliance. Eventually, that process came down to specific technologies. HIPAA doesn't explicitly require firms to encrypt E-mail going to or from third-party partners, for example. But Allstate decided compliance required doing so when E-mails contained medical data. And the same technology can help secure credit-card or financial information that isn't relevant to HIPAA but is germane to other regulations. Technologies that audit or log security events, or those that manage access control, can apply to more than one regulation as well. With most regulations, even those beyond Sarbox, HIPAA, and Gramm-Leach-Bliley, document retention plays a role.

E-mail This Story
Print This Story

Page 2: next page

Page 1 | 2 | 3 | 4 | 5

More Information

Get the latest Messaging news, product info, and trends every week.

Related Content

  Right-click and choose Copy to extract RSS Feed URL  Messaging Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Messaging Pipeline's Blog RSS Feed

Editorial and vendor perspectives

Editor's Picks
The Six Flavors Of Windows Vista
Microsoft plans to release a full six-pack of Vista versions, one for every taste. Which Vista will be right for you?

Hope is Not Enough When It Comes To Compliance

Three Ways To Authenticate E-Mail And Stop Spam

Wikis In The Workplace

Review: Google Desktop 3

Vendors are now talking about how collaboration can be improved by integrating video with messaging applications. They're even talking about adding live TV to mobile phones. How far do you go before it becomes a bandwidth and business productivity drain?
Video is a great idea
Video is fine but there needs to be size limits
It's never used for anything really productive
I draw the line at live TV

In search of messaging products? Check out our brand new Product Finder for a directory of groupware and collaboration tools, security products, archiving solutions, and more.


Digital Warehouse buys, sells, & rents used Cisco networking hardware such as routers & switches, as well as Juniper, Extreme & Foundry at 50-80% off list price. One year warrantee and fast delivery.

Roaring Penguin's CanIt-PRO anti-spam solution offers customizable spam and virus control for enterprises, campuses and ISPs. Designed for the mail server, CanIt-PRO lets you stop spam on YOUR terms. Click for free price quote for your organization.

Use your Intranet to manage Software Licenses, plan for Windows XP/2000 upgrades, do Security Audits and more. Click to try and ask for our white paper - PC Management for the Internet Age.

Analysts at the Tolly Group put a leading Branch Office IT services solution to the test, measuring performance, security and data reliability. Download the results, detailed in this free report, now.

Whether you need temporary or permanent access to remote PCs, LogMeIn has your solution: LogMeIn IT Reach for automatic maintenance of remote and mobile systems, and LogMeIn Rescue for instant, web-based remote access without pre-installing software.

Sponsored Links:      
 |   |   |   |   |   | 
 |   |   |   | 
 |   |   |   |   | 
Messaging Pipeline  |   |   |   | 
 |   |   |   |   | 
© 2006 | MESSAGING PIPELINE All rights reserved. | |