While each regulation requires certain information be protected, fortunately the security principles and controls they rely on are remarkably consistent. A well-structured security and compliance program can capitalize on this consistency and save an organization from unnecessary complexity and overwhelming cost.
While each regulation has its peculiarities, all regulations require organizations to have a structure in place that addresses the following topics:
- Policy and governance
- Information classification
- Risk assessment and management
- Identify management and access control
- Service provider oversight
- Training and awareness
- Incident response
- Business continuity
Understand the requirements
The first step of any compliance process is to understand the requirements involved, including the intent of the regulations, type of information that needs to be protected and risks affecting that information. HIPAA, PCI DSS, and GLBA all clearly specify the information that needs to be safeguarded. The Sarbanes-Oxley Act (SOX), on the other hand, leaves much open to interpretation -- even with guidance from the Public Company Accounting Oversight Board (PCAOB), which offers guidance to corporate auditors.
Understanding the risks to information in the context of your business is another matter. No standard document can do this for you. To that end, let's look at two examples of how a common approach to addressing requirements that span regulations can ensure more consistent controls and economies of process and technology.
Common requirement: Risk assessment and management
All regulations require organizations to have a risk assessment and management process in place. The PCI DSS notes risks and threats in Requirement 12. Maintain an Information Security Policy. Requirement 12.1.2 specifies that organizations have an annual process that identifies threats and vulnerabilities, and which results in a formal risk assessment. This same section further requires risks and policies to be reviewed throughout the year.
HIPAA also requires a formal risk assessment and management process in Section 164.308(a)(1), Security Management Process. The regulation requires that organizations:
- Identify all systems and applications that deal with electronic protected health information (EPHI)
- Accurately and thoroughly assess risks to the confidentiality, integrity, or availability of EPHI
- Assess adequacy of current controls
- Implement a risk management program
While the directive to conduct formal risk assessments is clear, financial organizations trying to comply are hard pressed to understand how to conduct formal risk assessments or implement a risk management program.
Financial organizations that use frameworks like ISO 27002 or COBIT to organize their security and compliance efforts will recognize the same requirements in those standards. Fortunately, the frameworks provide better guidance in implementing risk assessment and emphasize the importance of risk assessment and management in establishing and meeting overall security goals. It can also be helpful to look to a risk management framework like OCTAVE from Carnegie Mellon University as a model to meet the requirements of ISO 27002 and regulations like PCI DSS and HIPAA.
Common requirement: Identity management and access control
One of the guiding principles of all security, and certainly all regulations, is that you must know who has access to what information and what the justification is for that access.
The FFIEC Security Handbook requires financial organizations to have "effective access rights management." Similarly, the PCI DSS (Requirements 7, 8, and 9), HIPAA, and ISO 27002 all require organizations to have:
- A request and approval workflow that is auditable and involves information owners and supervisors
- Access granted based on a business "need to know"
- Adequate strength authentication for a given environment and system
- Prompt changes to privileges and access resulting from job changes
- Regular review and certification of access
- Unique IDs for each user
- Monitoring of user activity
While the details described in each regulation differ, the basic principles are the same and correspond quite closely to the approach described in the common security frameworks.
The lesson here, as it is above, is that a common approach can help a financial organization become compliant with multiple regulations. The alternative of specific models and mechanisms applied in different compliance domains will not only complicate matters unnecessarily, but it will also be more costly and prone to error.
Compliance programs can address requirements from multiple regulations
Each passing year seems to bring with it additional regulatory requirements. However, most requirements can be met more easily by organizations with good security fundamentals. Recognizing this, financial organizations should structure their security and compliance programs to capitalize on common regulatory requirements approaches. By instituting critical processes like risk management, policy management and training, financial organizations can more easily position themselves to deal with new regulations. Good processes also allow financial organizations to take advantage of tools like identity management, vulnerability management and change control to address compliance requirements across the board.
About the author:
Richard E. "Dick" Mackey is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA, and SOX. He has also provided guidance to a wide range of companies on enterprise security architecture, identity and access management, and security policy and governance.
This was first published in April 2008