NEW YORK -- Dennis Murray may be in the world's busiest city, but traffic in the Big Apple is nothing like the dangerous intersection of compliance demands he deals with each day as a security analyst for Blue Cross and Blue Shield Association.
And his plight isn't unlike other security managers attending this week's Information Security Decisions conference, namely managing the multitude of regulations enterprises are commanded to comply with.
"The harmonization of it all is difficult," Murray said Wednesday, noting that guidelines provided by the Health Insurance Portability and Accountability Act, the Sabarnes-Oxley Act (SOX) and the National Institute of Standards and Technology often seem to pull companies in different directions. "All this plethora of compliance makes it hard to set a level to it and match the standards and regulations and meet their requirements."
Competing regulations make it difficult for companies to set priorities, make purchasing decisions and execute policy. One strategy to combat this is to build upon one of the popular security frameworks, creating a living document that evolves along with regulations.
Diana Kelley, an analyst for Midvale, Utah-based Burton Group, said these internal frameworks often use established baselines like CoBIT, COSO or ISO 17799, which are then customized according to a particular business unit's needs. Kelly said that set of policies, processes and tools normalizes an enterprise's tactics toward compliance.
"This helps prepare your organization for the next regulation coming down the line," Kelley said. Enterprises that create these internal frameworks can benefit from the consistency of a policy-based approach to compliance, centralized control and better reporting capabilities.
Standards like ISO 17799, however, are not prescriptive. Instead, they're open-ended documents that explain what your organization should be doing, Murray said, but not how.
"What we're trying to do is make sense of this rash of standards," Murray said. "We're constantly being audited from all sides. We do our best to set priorities. The message, though, is that ROI has nothing to do with perceived value of assets. It's about protecting assets and maintaining consumer confidence."
Once an organization establishes an internal framework, the next challenge is the tools that help solidify internal controls and meet regulatory requirements. Despite what many vendors would have you believe, compliance does not come in a box. There are no silver bullets for compliance. In fact, the inherent complexity of enterprise systems is in a constant tug-of-war with compliance efforts.
"The compliance products you bring in may touch a lot of moving parts in the enterprise, including devices you may not own," Kelley cautioned. "You may have to negotiate politically about why you need to implement this in a particular business unit." Normalization and correlation tools are likely the first step down the compliance road, and oftentimes, these tools may already be present in your organization.
Some financial applications, such as those from Oracle Corp. or SAP AG, are being enhanced with features that help organizations comply with certain aspects of SOX 404. Document management systems, present in most financial departments, could help with demonstrating to an auditor a company has established a flow chart of internal controls and has written policies around these controls.
Additinally, network management systems, like Hewlett-Packard Co.'s OpenView or IBM's Tivoli, manage network components, Kelley said, and could be used to demonstrate continuity of service and service levels established in regulatory control objectives.
Information Security Decisions is produced by TechTarget, publisher of SearchSecurity.com.