February 20, 2006 Quest For Compliance By Ted Kemp, Secure enterprise Courtesy of Page 1 of 5 Searching for products that will help satisfy government regulations? Many vendors claim to have all the answers, but just try to find a marketing rep willing to get into specifics about how the technology maps to particular elements of Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act, and Sarbanes-Oxley. In the end, assessing your organization's compliance needs must be done in-house. It's never going to be easy, but information security professionals can count on a few things: You'll be responsible for determining which technology deployments meet which requirements, and it starts with an understanding of your business needs and organizational structure, not with technology itself. Compliance means tough security, Allstate's Van Nostern says. Photo by Jeff Sciortino If you think you know how difficult regulatory compliance can be, try being a chief information security officer from a company that must adhere to the Big 3: Sarbox, HIPAA, and Gramm-Leach-Bliley. That's the story for Kim Van Nostern, CISO at Allstate Insurance. The company's workplace division sells insurance within businesses, which means it must manage some medical-related information relevant to HIPAA. As a financial-services firm, All-state must conform to Gramm-Leach-Bliley. And the company is publicly traded, which means Sarbox compliance is a must. The good news--such as it is--is that a given technology deployment might help with adherence to more than one regulation, Van Nostern says. The bottom line is tough security. "Every piece of legislation requires the same kind of controls, especially security controls," she says. "They require you to have a robust security environment. Each of them requires similar things, they just put a different kind of filter on them." That said, experts are quick to point out that none of the Big 3 regulations is explicit about the types of technologies companies should deploy to achieve compliance. Some regulations, such as the EU Data Directive, are, in fact, prescriptive when it comes to technology, and IT security pros who dig deep into HIPAA might find recommendations related to authentication technology, for example. But overall, when it comes to Sarbox, HIPAA, and Gramm-Leach-Bliley, deciding which applications to put in place and which aren't necessary is something each organization must tackle on its own. "If you look at section 404 [of Sarbanes-Oxley], the section that sort of started it all, it says only that you have to have 'effective business controls,'" says Diana Kelley, senior analyst at the Burton Group. "But how you interpret 404 down on the bits and bytes level is where you're going to find different interpretations of how to achieve compliance." Kelley recommends you first determine which systems and applications are necessary for the business to continue running. This exercise helps organizations find their vulnerabilities. A financial-services firm, for instance, must get a handle on its risks when it exchanges data with other banks or the Federal Reserve. Only business-side executives are going to have a true grasp of which applications are critical to operations, and security staff will do well to turn to those individuals first, even before bringing on an audit team, Kelley says. "That's the key: understanding your business," Kelley says. "Do that first. Then you can figure out what your risks are, what your vulnerabilities are." Allstate's Handiwork Allstate had its legal officers, privacy officers, and CISO Van Nostern review each regulation in detail and then work together to formulate steps the company should take to achieve compliance. Eventually, that process came down to specific technologies. HIPAA doesn't explicitly require firms to encrypt E-mail going to or from third-party partners, for example. But Allstate decided compliance required doing so when E-mails contained medical data. And the same technology can help secure credit-card or financial information that isn't relevant to HIPAA but is germane to other regulations. Technologies that audit or log security events, or those that manage access control, can apply to more than one regulation as well. With most regulations, even those beyond Sarbox, HIPAA, and Gramm-Leach-Bliley, document retention plays a role. E-mail This Story Print This Story Page 2: next page Page 1 | 2 | 3 | 4 | 5 Get the latest Messaging news, product info, and trends every week.			Spyware And Adware Continue To Plague PCs Morgan Stanley Muddles Through An E-Mail Mess FTC Smacks Spammer With $900K Fine Report: Demand Continues To Grow For E-mail Archiving IM: Real-Time Securrity Problems For Financial Services Bot Herders Ready Attack Against Message Forums     Messaging Pipeline's Main RSS Feed     Messaging Pipeline's Blog RSS Feed Editorial and vendor perspectives The Six Flavors Of Windows Vista Microsoft plans to release a full six-pack of Vista versions, one for every taste. Which Vista will be right for you? Hope is Not Enough When It Comes To Compliance Three Ways To Authenticate E-Mail And Stop Spam Wikis In The Workplace Review: Google Desktop 3 Vendors are now talking about how collaboration can be improved by integrating video with messaging applications. They're even talking about adding live TV to mobile phones. How far do you go before it becomes a bandwidth and business productivity drain? Video is a great idea     13% Video is fine but there needs to be size limits     25% It's never used for anything really productive     38% I draw the line at live TV     25% In search of messaging products? Check out our brand new Product Finder for a directory of groupware and collaboration tools, security products, archiving solutions, and more.