February 20, 2006

Quest For Compliance

By Ted Kemp, Secure enterprise

Courtesy of

Page 2 of 5

Allstate takes particular care when it comes to the third-party partners with which it exchanges data. The company carried out a discovery process, first determining who those vendors were and then what types of information they have. Allstate ran on-site audits with those providers to ensure that they had the proper controls in place.

"If they don't meet our requirements, they'll work with us to put controls in place," Van Nostern says. "Otherwise, we might decide not to do business with them." The discovery exercise proved enlightening for Allstate, which hadn't carried out a detailed examination of how and with whom it trades data. "It's an eye-opener to see how many exchanges you have," she says.

The dynamics around the way data is used must also be understood before a company can get down to the specifics of which technologies it should deploy, and where. This means learning where data is stored, where it's moved internally, which apps use it, and how it's shared or exchanged. Data discovery also requires determining which sets of information are relevant to each regulation. Data-retention policies that include automatic deletion after the applicable retention regulations expire are important as well. After Allstate got a grasp on the ins and outs of its data, it got specific about the technological controls it would put on its access and the ways data is transmitted.

Allstate's approach falls in line with advice from Dick Mackey, principal at consulting firm Systems Experts. Mackey suggests organizations keep their regulatory compliance as narrow as possible, worrying only about the systems and applications relevant to a particular regulation. For example, Sarbanes-Oxley is essentially about financial reporting, Mackey says. He recommends trying to segregate internal systems so those related to Sarbanes-Oxley are cordoned off from systems that are irrelevant to it, such as company informational Web sites. Once an information security team has done that, it has isolated a smaller environment to deal with.

"Otherwise," Mackey says, "you're trying to boil the ocean."

With Sarbanes-Oxley, the highest level of compliance requires a control framework with a design Mackey breaks into a small set of general components. First, organizations must determine if their systems are as secure as they should be. Second, systems must be configured to maintain security. Next, systems and apps should be accessible only to those who need to use them. That framework is a good starting point for getting into specific technologies, which might include identity-management applications, workflow tools, records and documentation tools, and technologies that control which employees can make changes to code. Obviously, core security functions such as patch management, encryption, virus detection, and firewalls are critical and relevant to more than just one regulation.

In today's interconnected enterprise, compliance also means keeping tabs on suppliers, vendors, and other partners. One privately held investment-management company, which asked not to be identified, keeps tabs on third parties ranging from payroll vendors and boutique dot-coms to data processors, marketing firms, and application service providers. The company designed a process under which it evaluates its own business needs related to the services each partner provides. It then assigns a compliance risk level to each third party, based on the type of data it shares with the partner. If the firm deems shared data as either "confidential" or "highly confidential," then the partner receiving that data is categorized as "high risk."

"It's important to note their category isn't based on their controls but the amount and type of our data they have in their possession," an IT exec at the investment-management firm says. "With third parties, it's really all about the data itself."

The company hires security firms and external auditors to assess partners' technological infrastructures. These architecture reviews take place annually. Audits determine whether each third party has security best practices in place and whether it has developed its services with security in mind.

Across The Miles

Other organizations are so far flung, both geographically and in terms of interrelated networks, that building a foundation for compliance can require several infrastructure assessments. That's the case at the Indiana University School of Medicine, which must comply with HIPAA across 36 departments.


		MESSAGING PIPELINE MARKETPLACE (sponsored links)
		A technology breakthrough allows inspecting all outgoing data for confidential content and blocking unauthorized transmissions in real time. Free trial of GTB Inspector appliance is available in March 2006 only. Control unwanted software. Prevent spyware, malware, and viruses on corporate desktops and servers. Free White Paper and Live Demo. Encrypting data in servers and databases can address security gaps and privacy legislation. Ingrian DataSecure Platforms offer granular encryption, seamless integration, and centralized security management. Combat data theft--with unprecedented ease and cost effectiveness. Download a white paper that outlines best practices for securing data. Free report provides a summary of how message threats have evolved over the past year; changes in message management concerns and priorities; how organizations are responding to changes in message threats & regulations; and what to expect in 2006. The CIS has developed detailed IT security benchmarks which will help make your computer more secure. Click here to download the Belarc Advisor which will automatically show you how secure your system is compared to the CIS benchmark configurations.