The RSA Security conference will be held in San Jose, Calif., the week of Feb. 14, and one of the issues to be addressed there will be regulatory compliance. This story looks at compliance trends for the coming year.
Jeff Bardin is like many IT security pros. He's seeking the perfect recipe for compliance, trying to figure out the best way to meet the common criteria of multiple regulations without missing subtle differences from one law to the next.
"It seems there's a new compliance deadline every week," said Bardin, CISO of Worcester, Mass.-based Hanover Insurance Group. "You just do your best to have the right process to control data flow and access, educate the workforce on the responsible use of e-mails, IM, and so on. The big challenge is human behavior, teaching people to be careful how they handle information and making them understand how the company could suffer should there be a breach. We only want to be in the newspaper for the right reasons."
That can be a tall order for an enterprise of Hanover Insurance's size. The 4,700-employee company does business in every state in the U.S. and has 40 offices with "more opening all the time," Bardin said. There are 6,000 workstations and 600 servers to look after. And there's a buffet of regulations the company is bound by. "We're constantly audited by state examiners and regulators," Bardin said, adding that the company is bound by the Sarbanes-Oxley Act (SOX), the Graham-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), FCC rules, "and all the different state data breach notification laws."[CSOs are worrying about] how you take a new set of regulations and integrate it with the processes you already have in place for other regulations.
The rules are all designed with the same general purpose: to ensure companies protect electronically stored data and come clean when hackers crack the network and compromise sensitive information. But each new law has subtle differences and IT security professionals live in fear of missing things. As a result, they are clamoring for better guidance from government and industry groups on how to develop a one-size-fits-all approach to compliance.
"We're hearing people really trying to get their arms around best practices," said Jim Wade, executive director and chief operating officer of the International Information Integrity Institute (http://i4online.com) a global network of companies and organizations. Member companies' IT security officers meet behind closed doors several times a year in different locations around the world to discuss their biggest security challenges. Wade sees a growing hunger for a more common compliance blueprint.
"They see the need to make an integrated effort and come up with an integrated set of requirements," he said. "They're trying to figure out how to comply with multiple regulations without reinventing the wheel."
He said CSOs are also looking at how to integrate "the next thing that comes along," worrying about "how you take a new set of regulations and integrate it with the processes you already have in place for other regulations."
One of the latest things to come along is from the Federal Financial Institutions Examination Council (FFIEC). Under guidelines it issued in October, financial institutions must show by the end of 2006 that they have strong systems in place to authenticate the identity of customers who use online services. Neal Creighton, CEO and president of Needham, Mass.-based GeoTrust, said the standards require that banks use "some method of two-factor authentication."
Chrisan Herrod, CSO of the Securities and Exchange Commission, agrees that CSOs are hungry for a streamlined compliance blueprint. She added that companies are also under pressure to show that the compliance technology and policies they've put in place are more than window dressing.
"Technology security controls may be in place for major financial applications, but they are cosmetic in their effectiveness if the financial control accounting processes are not closely monitored and there are ineffective practices regarding separation of duties and manual reviews," she said.
Those clamoring for a more common blueprint may find solace in some guidelines already available. Marc Zwillinger, chairman of the Information Security and Internet Enforcement Group at Washington D.C.-based law firm Sonnenschein Nath & Rosenthal, noted, for example, that the FTC Safeguard rule is the single most important information security regulation passed to date for the private sector. Many of its requirements mirror those found in SOX and GLBA, he told attendees at the MIS Training Institute conference on managing IT and security compliance in Boston last June.
The rule requires that financial institutions "develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities and the sensitivity of any customer information at issue."
"The FTC rules are easiest to read and audit," he said. "This is what enforcement audits are currently based on."