Compliance, IT Security and a Clear Conscience

Never has the need to prove compliance with external regulations and internal policies been more acute than it is today. The likely consequences of failing to prove that your organization is compliant and that you are strictly adhering to your own policies can be significant, up to and including possible criminal penalties for top corporate executives. And the buck doesn’t stop there. Anyone who is familiar with the Enron story may also remember that it resulted in the once grand Arthur Andersen being brought to its knees, illustrating the thoroughness that external auditors will apply to ensure that they are not implicated.

Organizations today must prove beyond a shadow of a doubt that not only do they have a security program in place, but that it is enforced and is consistent across your organization. Information technology departments play a key role in this endeavor. Shortcomings in IT policies can have potentially serious consequences.

Research by Gartner has shown that 65 percent of all successful computer attacks take advantage of badly configured systems such as use of out-of-the-box default conditions, configuration of user accounts that have privileged rights, simple configuration errors or unscrupulous system administrators. If that’s not bad enough another in a recently published survey conducted by the U.S. Secret Service together with Carnegie Mellon University’s Software Engineering Institute CERT Program found that eighty-six percent of people who carried out insider sabotage held technical positions and ninety percent had system administrator or privileged system access – which meant they held the passwords to override the system and access the network.

No matter how secure a system may be, if the controls to access that system are not adequate, eventually this will be exposed. A recent Audit Commission report in the UK highlighted that problems are frequently a result of poor access controls that inevitably increase the risk of accidental damage and deliberate abuse. Instances such as the failure of management to escort disgruntled employees from buildings and remove all IT system access facilities have resulted in such staff having the time and opportunity to vent their anger on the organization and cause major disruptions. Interestingly, the report found the main reasons for breaches were ineffective policies, and the failure to enforce policies.

There are also many misconceptions about regulatory compliance for outsourcing. For example if your company has outsourced management of its IT infrastructure, the responsibility of compliance still rests with your company, not its outsourcing partner. Additionally, companies providing outsourcing services need to ensure that they are not implicated in the event that issues arise. In other words, select a good outsource partner and you could be a winner. Select a bad one and you could be out of business. It is not the brand name that should convince you but the quality and experience of the staff that will be responsible for your highly sensitive data.

Compliance and regulatory requirements
Being compliant has become a major focal point for most large organizations, but this for all practical purposes should be a goal for risk management and security in every organization. Regardless of external factors, those responsible for the integrity of the IT environment should be actively involved in ensuring that permanent staff, business partners and contracted staff, who may have privileged user rights, comply with company policies when it comes to handling company assets.

For those organizations that also need to meet public standards, the level of media exposure that has resulted from high-profile cases in the United States means that most people in the IT security arena are familiar with Sarbanes-Oxley, Basel II, 21 CFR Part 11, PCI, Gramm-Leach-Bliley and HIPAA.

However, it is not simply these much publicized standards. Today most countries have regulations in place that are very similar, such as France’s “Loi de Securité Financière”, Germany’s “KonTraG”, the UK’s “Combined Code” and the Netherlands “Tabaksblat Code”, which require a similar level of due diligence when it comes to IT security practices, although there are variations related to the compulsory nature in different countries.

Additionally, many organizations are adopting best practices by implementing standards such as ITIL, and ISO 27001 in order to ensure consistency across their enterprises. From an IT perspective, what all of these regulations have in common is that they require the strengthening of internal controls related to the use of IT systems.

The controls that are specified in most standards are very similar. All deal with the primary threats that exist in the IT environment, focusing on the misuse of privileged accounts, mistakes by privileged users and malfunctions within the IT infrastructure itself, particularly when it comes to the security of highly sensitive information. The IT security group needs to be able to prove which privileged user accessed what system, demonstrate that confidential systems and data could not have been accessed by those who had no rights and that those who have the right are tracked.

The importance of automation in tracking and reporting IT controls cannot be overstated. These tools are important in providing timely alerts by continuously collecting and alerting on events for any critical component within the IT infrastructure. Additionally, they are an important factor in reducing the costs associated with collating the information.

For any organization that must comply with these regulations, it is mandatory that the IT departments comply, and that the IT security department in an organization must be able to demonstrate to the rest of the organization, and to those external parties that monitor the activities, that the effectiveness of IT controls are adequate.

Anyone who has been faced with an audit, either internal or external, can attest to the resource demands that are placed on the IT organization. This can be especially challenging when an organization is present in different geographical locations. The effectiveness of the controls and reporting tools within the IT security departments are critical both to achieving a successful audit, and limiting the amount of resource that is required to deliver the necessary information. Ultimately, you are answering the questions, do you have the important controls in place, have you implemented effective change management and if your access controls are effective – and of course can you prove it.

A major challenge facing organizations today is that regulations do not make allowances for unintentional errors, and human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. Today almost all risk results from internal threats and because many organizations focus their investment in protecting against the external threat, they are often not adequately prepared to protect the internal risks. Today any organization that has an IT infrastructure relies heavily on databases, and database security practices, including everyone and every process that accesses the database, will always be scrutinized very closely by auditors.

What should you do?
Whether or not you are compelled to apply policies to comply with the various standards, you should familiarize yourself with what is required. My recommendation would be to start by taking the time to study the ISO 27001 standard to gain an overall view of what is required to have an effective information security policy and in conjunction look at the requirements of the Payment Card Industry (PCI) standard. Although the PCI standard is intended for organisations that deal with credit card transactions it offers a very practical guide to what should be done on a practical level in many areas, and will ensure that you have taken adequate precautions to protect yourself and your business.