|
 |
|
|
|
|
BEST PRACTICES |
|
|
|
|
|
|
|
|
|
|
Consistency Counts
By Richard E. Mackey
Organizations of all shapes and sizes face compliance requirements from all sides, whether from regulations like HIPAA, state privacy laws or the Payment Card Industry's Data Security Standard (PCI DSS).
The most efficient and effective way to deal with the diverse set of requirements stemming from the growing array of regulations is to establish a framework of consistent processes and mechanisms. The individual processes can then be adjusted to meet specific regulatory requirements. Here are five best practices that can help organizations fulfill compliance goals across multiple regulations.
Establish an information cataloging and classification process. At the heart of all regulatory requirements lies information. The information governed by regulations such as HIPAA, PCI and Gramm-Leach-Bliley needs to be protected from leakage and unauthorized access. To successfully protect information, an organization has to know where it is, what makes it sensitive, and who should have access to it. Information cataloging identifies data sets and assigns ownership. Classification defines and documents what makes information sensitive and how it must be handled. These allow an organization to define processes for data handling (e.g., encryption), define process and mechanisms for access control, and establish bounds for what needs to be audited to prove compliance.
Establish a risk management process. Many regulations require organizations to formally assess and manage risk to protected information and systems. This process needs to be applied at a high level when businesses change (e.g., in a merger or acquisition) and at a small scale (e.g., when new software or systems are installed). Having a risk assessment and management framework based on a recognized model, like OCTAVE from Carnegie Mellon University, can help organizations meet requirements from multiple regulations and justify strengthening (or weakening) controls.
Develop a consistent identity and access management process. Every regulation (and auditor) requires organizations to prove they have strong processes controlling who is permitted access to protected information and systems. While this may seem like a largely technical problem, it is primarily a process requirement. Regulations tend to emphasize the requirement that the appropriate people are involved in approving access requests and that there be an audit trail for all requests and approvals. Identity and access management technologies can help with these activities, but they depend on you to develop the appropriate workflows and involve the appropriate players.
Develop a log review process and mechanism. All regulations require organizations to maintain and monitor logs. Done correctly, logging allows a company to track and prove which users had access to which information, and provides evidence that regular maintenance took place, procedures were followed according to documentation, and certain protections were in place (e.g., firewalls and antivirus). Unfortunately, the challenges facing organizations trying to build and maintain a consistent logging scheme are many. Logs from different products have different formats, are stored in disparate systems, and may include too little or too much information. Organizations need to analyze their logging needs, confront the complexity problem and evaluate event and log management products on the market. The best of these understand log formats from multiple platforms and products, can integrate logs from distributed locations, and can provide powerful analysis tools.
Document your administrative processes. All regulations require thoroughly documented administrative procedures. However, while many organizations view this requirement to be a compliance burden, it just makes sense. Your organization cannot afford to be placed at risk because the knowledge of how to complete critical administrative functions exists only in the heads of your administrators. There's no shortcut here; the key is to document what you do and then make improvements. There will be a temptation to improve all your processes as you document. That way lies madness. If you want to achieve compliance, document, document, document.
Richard E. Mackey is vice president of SystemExperts.
Send comments on this article to feedback@infosecuritymag.com.
|
|
|
|
|
|
|
|
|
Security Management Strategies for the CIO
Join the conversationComment
Share
Comments
Results
Contribute to the conversation