February 20, 2006
Quest For Compliance
By Ted Kemp, Secure enterprise |
Courtesy of |
Page 2 of 5
Allstate takes particular care when it comes to the third-party partners with which it exchanges data. The company carried out a discovery process, first determining who those vendors were and then what types of information they have. Allstate ran on-site audits with those providers to ensure that they had the proper controls in place.
"If they don't meet our requirements, they'll work with us to put controls in place," Van Nostern says. "Otherwise, we might decide not to do business with them." The discovery exercise proved enlightening for Allstate, which hadn't carried out a detailed examination of how and with whom it trades data. "It's an eye-opener to see how many exchanges you have," she says.
The dynamics around the way data is used must also be understood before a company can get down to the specifics of which technologies it should deploy, and where. This means learning where data is stored, where it's moved internally, which apps use it, and how it's shared or exchanged. Data discovery also requires determining which sets of information are relevant to each regulation. Data-retention policies that include automatic deletion after the applicable retention regulations expire are important as well. After Allstate got a grasp on the ins and outs of its data, it got specific about the technological controls it would put on its access and the ways data is transmitted.
Allstate's approach falls in line with advice from Dick Mackey, principal at consulting firm Systems Experts. Mackey suggests organizations keep their regulatory compliance as narrow as possible, worrying only about the systems and applications relevant to a particular regulation. For example, Sarbanes-Oxley is essentially about financial reporting, Mackey says. He recommends trying to segregate internal systems so those related to Sarbanes-Oxley are cordoned off from systems that are irrelevant to it, such as company informational Web sites. Once an information security team has done that, it has isolated a smaller environment to deal with.
"Otherwise," Mackey says, "you're trying to boil the ocean."
With Sarbanes-Oxley, the highest level of compliance requires a control framework with a design Mackey breaks into a small set of general components. First, organizations must determine if their systems are as secure as they should be. Second, systems must be configured to maintain security. Next, systems and apps should be accessible only to those who need to use them. That framework is a good starting point for getting into specific technologies, which might include identity-management applications, workflow tools, records and documentation tools, and technologies that control which employees can make changes to code. Obviously, core security functions such as patch management, encryption, virus detection, and firewalls are critical and relevant to more than just one regulation.
In today's interconnected enterprise, compliance also means keeping tabs on suppliers, vendors, and other partners. One privately held investment-management company, which asked not to be identified, keeps tabs on third parties ranging from payroll vendors and boutique dot-coms to data processors, marketing firms, and application service providers. The company designed a process under which it evaluates its own business needs related to the services each partner provides. It then assigns a compliance risk level to each third party, based on the type of data it shares with the partner. If the firm deems shared data as either "confidential" or "highly confidential," then the partner receiving that data is categorized as "high risk."
"It's important to note their category isn't based on their controls but the amount and type of our data they have in their possession," an IT exec at the investment-management firm says. "With third parties, it's really all about the data itself."
The company hires security firms and external auditors to assess partners' technological infrastructures. These architecture reviews take place annually. Audits determine whether each third party has security best practices in place and whether it has developed its services with security in mind.
Across The Miles
Other organizations are so far flung, both geographically and in terms of interrelated networks, that building a foundation for compliance can require several infrastructure assessments. That's the case at the Indiana University School of Medicine, which must comply with HIPAA across 36 departments.