Competing regulations clog road to compliance

By Michael S. Mimoso, Senior Editor 20 Oct 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

NEW YORK -- Dennis Murray may be in the world's busiest city, but traffic in the Big Apple is nothing like the dangerous intersection of compliance demands he deals with each day as a security analyst for Blue Cross and Blue Shield Association.

And his plight isn't unlike other security managers attending this week's Information Security Decisions conference, namely managing the multitude of regulations enterprises are commanded to comply with.

"The harmonization of it all is difficult," Murray said Wednesday, noting that guidelines provided by the Health Insurance Portability and Accountability Act, the Sabarnes-Oxley Act (SOX) and the National Institute of Standards and Technology often seem to pull companies in different directions. "All this plethora of compliance makes it hard to set a level to it and match the standards and regulations and meet their requirements."

Competing regulations make it difficult for companies to set priorities, make purchasing decisions and execute policy. One strategy to combat this is to build upon one of the popular security frameworks, creating a living document that evolves along with regulations.

Diana Kelley, an analyst for Midvale, Utah-based Burton Group, said these internal frameworks often use established baselines like CoBIT, COSO or ISO 17799, which are then customized according to a particular business unit's needs. Kelly said that set of policies, processes and tools normalizes an enterprise's tactics toward compliance.

"This helps prepare your organization for the next regulation coming down the line," Kelley said. Enterprises that create these internal frameworks can benefit from the consistency of a policy-based approach to compliance, centralized control and better reporting capabilities.

Standards like ISO 17799, however, are not prescriptive. Instead, they're open-ended documents that explain what your organization should be doing, Murray said, but not how.

"What we're trying to do is make sense of this rash of standards," Murray said. "We're constantly being audited from all sides. We do our best to set priorities. The message, though, is that ROI has nothing to do with perceived value of assets. It's about protecting assets and maintaining consumer confidence."

Once an organization establishes an internal framework, the next challenge is the tools that help solidify internal controls and meet regulatory requirements. Despite what many vendors would have you believe, compliance does not come in a box. There are no silver bullets for compliance. In fact, the inherent complexity of enterprise systems is in a constant tug-of-war with compliance efforts.

"The compliance products you bring in may touch a lot of moving parts in the enterprise, including devices you may not own," Kelley cautioned. "You may have to negotiate politically about why you need to implement this in a particular business unit." Normalization and correlation tools are likely the first step down the compliance road, and oftentimes, these tools may already be present in your organization.

Some financial applications, such as those from Oracle Corp. or SAP AG, are being enhanced with features that help organizations comply with certain aspects of SOX 404. Document management systems, present in most financial departments, could help with demonstrating to an auditor a company has established a flow chart of internal controls and has written policies around these controls.

Additinally, network management systems, like Hewlett-Packard Co.'s OpenView or IBM's Tivoli, manage network components, Kelley said, and could be used to demonstrate continuity of service and service levels established in regulatory control objectives.

Information Security Decisions is produced by TechTarget, publisher of SearchSecurity.com.

Tags: Sarbanes-Oxley Act,  ISO 17799,  COBIT,  HIPAA,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research ISO 17799 Tony Spinelli: Prioritize Information Security over Compliance How to write a risk methodology that blends business, security needs IT auditing applications and tools for ISO 27002 certification Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? How do ISO 17799 and SAS 70 differ? How to apply ISO 27002 to PCI DSS compliance How to migrate from SAS 70 to ISO 27001 COBIT Tony Spinelli: Prioritize Information Security over Compliance Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? Does SOX provision email archiving? COSO and COBIT: The value of compliance frameworks for SOX ISO 17799: A methodical approach to partner and service provider security management Mapping the path toward information security program maturity RSA Conference 2006 COBIT Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary COBIT  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary