Like many companies small and large, Pennsylvania State Employee Credit Union (PSECU) in Harrisburg had been taking...
a somewhat piecemeal approach to IT security and regulatory compliance. The credit union used Security Professional Institute templates to facilitate compliance with key regulations like the Sarbanes-Oxley Act. A compliance officer tracked regulations and notified Kevin Doyle, the credit union's information security manager, of new compliance requirements.
About three years ago, however, things began to change.
"We noticed that auditors were more knowledgeable and more serious about security, and the scrutinizing level had gone up," Doyle reported. He attributed this mainly to the Graham-Leach-Bliley Act (GLBA), enacted in 1999. To achieve compliance with GLBA, financial services firms need to identify vulnerabilities in electronic systems and assess the likelihood and impact of threats as well as the sufficiency of controls to mitigate those risks.
Doyle recognized that PSECU needed a more comprehensive and proactive approach to data security and privacy to not only comply with GLBA, but also to address data security and privacy needs for the organization and its customers. PSECU serves about 120,000 e-commerce users, primarily via electronic connections like the Web and e-mail, which are vulnerable to break-ins.
However, as a small firm with only 500 employees, the credit union had limited manpower to enforce security policies. "Security is done by me and one other person," Doyle said. The firm needed to define a formal set of security policies and then make sure "that everyone in the organization took the policies seriously, and knew their responsibilities."
Regulatory compliance can be a thorny issue for SMBs, particularly public companies in highly regulated sectors such as government and finance. "They have the same number of regulations to comply with as larger organizations, but they don't have the full time staff to cover them," said Patrick McBride, vice president of compliance solutions at Scalable Software LLC in Houston.
That's why small and midsized businesses (SMBs) need, as much as large companies, to take a top-down, policy-based approach to compliance, McBride suggests. Deploying new policies and procedures for each new regulation that comes down the pike is simply too costly and inefficient. IT and security people spend all their time fighting fires and reinventing the wheel. "Best case, you keep having more policies to follow; worst case, they overlap and conflict," he said.
French Caldwell, a research vice president at Stamford, Conn.-based Gartner Inc., said, "A bottom-up approach to resources is too diffused, and you end up overlooking things that turn out to be important. Companies try to leave no stone unturned, but not all stones are equal; and if you're an SMB, you can't get at all the stones." Furthermore, staff members often have no idea what key security measures have been overlooked -- until federal regulators or lawyers come knocking.
Both small and large organizations need to step back and normalize their control set, policies and procedures, McBride said. "A good framework allows you to meet the broadest set of requirements across multiple regulations, without killing the IT department on the back end."
Fortunately, a number of standards organizations have come up with guidelines for implementing a policy-based regulatory compliance and security framework. These include International Standard Organization 17799; the IT Infrastructure Library (ITIL), which provides IT best practices in a variety of areas; and the IT Governance Institute's Control Objectives for Information and Related Technology (Cobit), which is often used by auditors.
The guidelines focus not only on how to comply with individual regulations, but also on improving the overall governance of the IT organization and how to prioritize resources to address areas of greatest risk, Caldwell noted. Companies that have followed 1799 and ITIL "have good security policies and documentable, testable controls in place, not just shelfware." Gartner clients who had implemented the guidelines "had a much easier time when Sarbox came along," Caldwell said.
IPSECU is working toward ISO 17799 compliance right now, with the help of Scalable Software's consultants and software. "Scalable took existing policies and did a gap analysis, to see what was needed for ISO compliance," Doyle said.
Doyle began ISO 17799 training in December. He said he hopes to lay out the scope of the project by May, and submit it to ISO auditors. "Then we have to document all the procedures to show we're following best practices," Doyle said, adding that he expects this part of the initiative to take about six months.
Once IPSECU has been certified as ISO 17799-compliant, "We need to build security practices into everyday tasks, make sure people understand that this is the way we do things from now on," Doyle said. "That'll be the hard part." For instance, "With new projects and security incidents coming at you from all directions, it's hard to remember to document everything."
However, Doyle said he expects the rewards to justify the pain. "We figure that if we're in compliance with ISO 17799, everything else will fall into place, including GLBA compliance."
This article originally appeared on SearchSMB.com.