[ISN] Regulation Compliance Tops Companies' Security Concerns

[InfoSec News]

http://channelzone.ziffdavis.com/article2/0,1759,1594080,00.asp

May 17, 2004
By Karen D. Schwartz  

Just a few short years ago, the primary security-related concern for
most IT executives was how to prevent hackers from infiltrating their
companies' systems. Although that issue still is quite relevant, it's
no longer the top concern of many organizations. Today, that honor
goes to how to comply with the increasing number of regulatory and
compliance mandates required by the U.S. government. Some of these
requirements, such as Graham-Leach-Bliley and Sarbanes-Oxley, apply to
virtually all corporations, while others, such as the Health Insurance
Portability and Accountability Act (HIPAA) and the Basel II Accord,
affect specific industries.

The unifying thread among all of these mandates is the need to
adequately protect personal information - an issue that can cause
significant challenge and confusion for IT managers who are unfamiliar
with the available tools and methods for satisfying these
requirements.

Helping organizations comply with this panoply of regulations,
however, has created significant opportunity for resellers, says Ed
Smith, director of security solutions at Forsythe Technology Inc., a
technology infrastructure solution provider based in Skokie, Ill.

"These regulations don't require specific technology, which makes them
confusing and vague. Some say you have to provide access control, for
example, but they don't specify how to do it," Smith says. To solve
the problem, many organizations are turning to resellers who
specialize in building compliance-ready environments and stand ready
to map those environments to the organization's framework, best
practices and standards.

Resellers and systems integrators fulfill a real need in the
compliance arena, agrees Michael Rasmussen, director of information
security at Forrester Research Inc., a Cambridge, Mass., IT
consultancy.

Not only is there no off-the-shelf product to deal with compliance and
security issues, but creativity and ingenuity tend to be key to
success, Rasmussen says. "It's about building a culture of security
and governance within the organization, as well as selecting the right
products and assigning the appropriate management and staffing to
them."

Although not yet a requirement, the government's recent push to
address cyber-security is beginning to rank nearly as high a
regulatory compliance for companies trying to stay on the cutting edge
of security requirements. Spearheaded by the National Cyber Security
Partnership Task Force, a public-private partnership led by a variety
of trade groups and the U.S. Chamber of Commerce, the goal is to
develop strategies to better secure critical information
infrastructure.

Slowly but surely, the push to implement better cyber-security is
trickling down from government to private industry, encouraging
resellers to develop solutions and methodologies for implementing
these practices within their client base.

"We're encouraging the private sector to adopt what's happening in the
public sector because cyber-security cuts across everything and should
be part of the overall business model," says Jeff Tye, founder of GMP
Networks, a Tucson, Ariz. ,security integrator.

But at least for now, compliance and cyber-security issues remain more
relevant to larger companies than smaller ones. These issues,
generally grouped under the term "information security," include
financial integrity, regulatory compliance, privacy, intellectual
property and industrial espionage. Smaller companies, on the other
hand, tend to remain focused on IT security - technology that includes
firewalls, disaster recovery, patch management, intrusion-detection
systems, and encryption and anti-virus software.

That's changing, but slowly, Smith notes. "You have to become a
trusted adviser beyond just offering the latest technology. It's about
understanding their problems and then developing an appropriate
solution - whatever the need."



GLOSSARY OF TERMS


Sarbanes-Oxley Act of 2002: Mandates a comprehensive accounting
framework for all public companies doing business in the United
States. Companies must disclose all relevant financial performance
information publicly, creating the need for more stringent digital
data integrity and accountability controls.


Health Insurance Portability and Accountability Act of 1996 (HIPAA):  
One part of this act deals with the standardization of health
care-related information systems, establishing standardized mechanisms
for electronic data interchange, security and confidentiality of all
health care-related data.


Graham-Leach-Bliley Act of 1999: To protect consumers' financial
private information. It put processes in place to control the use of
consumers' private information and included requirements to secure and
protect the data from unauthorized use or access.


Basel II: The Basel II Accord is a regulatory framework governing risk
management practices, developed by the Bank of International
Settlements. Companies have until the end of 2006 to comply with it.  
The accord consists of minimum capital requirement, supervisory review
of capital adequacy and public disclosure. And new guidelines on
operational risk may cause banks to need to implement more
comprehensive business continuity solutions. Once finalized, it will
give banks a more standard way of evaluating risk.


Cyber-security: Simply put, cyber-security is the act of protecting
all corporate information from potential harm through identification,
protection and defense. The U.S. government is doing its best to
encourage organizations to deal with cyber-security. The National
Cyber Security Partnership Task Force, for example, recently issued a
report recommending ways of reducing security vulnerabilities by
adopting existing standards and best practices, using common software
security configurations, developing guidelines for secure equipment
deployment and network architectures, and improving the processes
commonly used to develop security specifications and conduct security
evaluations.