Rising to the Compliance Challenge

From the Editors of CIOSC

Today's enterprises are under regulatory pressure as never before.

It's no surprise, then, that compliance is cutting a deep path through many CIOs' budgets. Over the next two years, enterprises are expected to allocate an additional 23 percent of their budgets to IT compliance, according to a recent PriceWaterhouseCoopers survey of business executives.

For CIOs, this new regulatory landscape means implementing changes in people, processes, and technology to ensure IT controls are operating in compliance with internal policies and regulatory mandates. As an example, a control to secure access to financial reporting data might be addressed with both intrusion prevention technology and changes to internal processes that ensure separation of duties.

The good news is that regulatory compliance is having a positive influence on overall corporate governance, leading to increased accountability and transparency as CIOs seek to ensure the integrity of their controls. Of course, there is also the fact that failure to comply can result in lost business and customer confidence, not to mention financial and legal liability. As the CFO at one Fortune 500 firm succinctly observed about the Sarbanes-Oxley Act: "Here's what Sarbanes means to us in layman's terms: I go to jail if this information is not accurate or if anything is inappropriate."

More with less

But even as regulatory compliance issues have moved front and center, CIOs and IT departments also continue to be asked to do more with less, and to act more quickly and with greater impact on business success. Consider:

• The explosive growth in the use of wireless and other mobile devices shows no signs of diminishing In many cases, these devices are personally owned by end users, leaving companies vulnerable to data losses and privacy breaches in the event of a security incident. In a report issued last summer, Gartner Inc. estimated that, by the end of 2004, over half of all business mobile PCs would be connected to wireless LANs, and that one of the main issues in deploying these networks involved "immature security standards."
• Digital information is growing exponentially There are many industries today such as healthcare and financial services that have digitized their information assets, not to mention the way they do business as well as the way they do business in general. This elevates the need to regulate the protection of information against intrusions to ensure that records are not modified maliciously.
• Boundaries are breaking down As companies continue to open their networks to outside parties -- such as customers, partners, and suppliers -- the traditional boundaries that separated trusted users from unwelcome ones are becoming harder to define, more difficult to manage, and easier to penetrate without authorization. According to a recent Network Computing poll, 61 percent of 725 respondents received a request from a guest to their facilities for wireless network access in the past six months.

This convergence of trends is driving the increasingly urgent corporate demand for infrastructure solutions that address regulatory compliance issues -- solutions that simultaneously address security (the ability to protect critical information assets) and availability (the ability to enable access to information by appropriate parties).

Don't reinvent the wheel

At the heart of most regulations is the intent to ensure that corporations take due care in protecting the confidentiality, integrity, and privacy of information that impacts its stakeholders (stakeholders that reside both within a corporation's constituency base or within the broader public domain). The majority of regulations translate this objective into various legislation and standards with language that typically requires companies to address four strategic tasks:

• Establish and implement security and availability controls
• Monitor and test controls compliance with established policies and regulatory requirements
• Identify, respond to, and remediate weaknesses and violations
• Build and maintain a reporting capability that can reliably demonstrate compliance

The challenge for corporate executives is in how well they can map the regulatory requirements to specific security and availability solutions, which can be broadly implemented across an organization to reduce operating costs associated with achieving IT regulatory compliance.

Focus on four areas

Four areas in particular are critical in addressing compliance requirements: Risk Assessment, Policy Compliance, Remediation, and Incident Management.

• Risk Assessment This area refers to the tasks that are critical to an analysis of an organization's tolerance for security threats and vulnerabilities or business disruption due to unanticipated downtime. Risk assessment can involve inventory of in-scope controls, people, process, and technologies and an assessment of compliance with IT policies and regulatory requirements. It might also involve identifying and isolating threats, including intrusion protection, malicious program identification, "rogue" (or unknown) technology discovery, and log activity analysis.
• Policy Compliance This area refers to the tasks necessary to proactively identify and isolate asset weaknesses before they are exposed to attack. Policy compliance can involve testing of configurations, periodic vulnerability scanning, and operations availability analysis to determine risk exposure - all of which are mandated by numerous regulations and standards.
• Remediation Remediation tasks are needed to isolate and resolve IT control gaps and issues, once you have identified and isolated asset weaknesses and vulnerabilities. This might involve deploying a new software patch to remove a security vulnerability. Or it might involve a change to IT processes and procedures to accelerate an organization's ability to respond to a new incident.
• Incident Management This includes the tasks necessary to integrate, interpret, and present security- and availability-related information from disparate sources: intelligence analysis, standards and policies compliance, asset classification, event correlation, and reporting (both on a specific action and its cumulative effect).

Compliance alone isn't enough

For today's real-time enterprise, regulatory compliance has assumed a place at the top of the corporate agenda. But keep in mind that compliance alone is not enough to protect your organization's critical information systems. That's because while recent regulations argue for the establishment of good information security practices, such practices aren't enough to provide the foundation for an information infrastructure that is both highly secure and highly available. (Even NERC, the North American Electric Reliability Council, refers to its cyber standard as "a set of minimum requirements.") Moreover, adjusting your information management posture to each new regulation or standard is inefficient.

Rather than react to each new regulation as it appears, organizations should instead take a proactive approach to managing the security and availability of their information. The benefits that accrue can be significant. Such an approach doesn't just achieve regulatory compliance; it also contributes to an organization the powerful, broader set of benefits that result from the implementation of a sound security program. That includes the protection of an organization's most critical assets -- its information, its brand strength and reputation, and the continuity of operations necessary to sustain its performance without interruption.