2012 Compliance Checklist

Security professionals need to consider these best practices and new compliance requirements as they ring in a new year
Work Toward Continuous Monitoring
Michael Hamelin, chief security architect for Tufin, predicts that 2012 will be the year of continuous compliance in many auditors' books.

"In other words, organizations will have to demonstrate that they can track any changes to their compliance posture and audit as needed, as opposed to referring back to a single point in time based on their last audit," Hamelin says. "As a result, investing in automating the audit process will be top of project lists for 2012, which will result in many organizations adopting more mature and effective processes for managing compliance." The automation part is the key, says Patrick Taylor, CEO of Oversight Systems, who emphasizes continuous monitoring as a path to continuous compliance.

“Even the best defenses are routinely defeated by social engineering and other surprisingly low-tech attacks. Businesses need to find and correct fraudulent transactions that come from these attacks as they are recorded, not weeks or months after the fact," he says. "Continuous monitoring uses targeted real-time analytics to deliver this additional line of protection -- even when network defenses have been thoroughly compromised.”

Make Someone Accountable
If you haven't done so already, then make 2012 the year that your organization appoints ownership of compliance responsibilities to someone.

"Assign clear compliance responsibility to a specific authority within your organization. And along with that responsibility, don't forget to give them the authority to actually meet those goals," says Jon Heimerl, director of strategic security for Solutionary. "Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process."

Watch Out For HIPAA Audits
Healthcare organizations could be in for a big-time reality check in 2012, Heimerl warns.

"The Office for Civil Rights (OCR) has initiated a pilot program to audit Covered Entities for HIPAA compliance," he says. "The program is a pretty aggressive program and will help lead to more frequent HIPAA compliance audits in the future."

One of the most important things to understand about this program is that when the organization in question is notified by OCR that it is subject to audit, it will have only 10 days to submit all of the required compliance documentation. That means if you aren't already prepared, you're pretty much up the proverbial creek without a paddle.

"This time frame is short enough that if you do not have your compliance well-defined, you will not be in a position where you will be able to meet this deadline," he says.

Treat FinCEN Seriously
Financial institutions might be focused on FFIEC right now, but they'd do well to keep an eye out for new updates from the Financial Crimes Enforcement Network (FinCEN) to its requirements for managing electronic reporting for Suspicious Activity Report (SAR) filing that will potentially go into effect in June.

"The Department of Treasury is serious about this update, and we should take it seriously when they discuss fines for noncompliance," Heimerl says.

Get IAM Control
One of the most impactful ways to improve audit results in 2012 and beyond is to do a better job bringing privileges into check and revamping identity and access management strategies to improve control and visibility.

"Identity and access management is a key component of an effective compliance strategy. Organizations cannot maintain control of compliance processes unless they know who has access to vital IT resources and what they're using them for," says Dave Fowler, the COO of Courion. "That calls for intelligence based on user data that quickly reveals associations and patterns that might violate compliance guidelines and company policies, or indicates hidden risks."

Top of the IAM to-do list should be the application of the rule of least privilege within all environments.

"Eliminating overprivileged users inside your organization will aid in compliance satisfaction as most regulations -- SOX, HiPAA, GLB, PCI -- have a clause on level of access to key IT assets," says Jim Zierick, executive vice president of product operations at BeyondTrust. "All IT assets need administration, but this level of privilege also opens the path to abuse and actions outside of corporate governance or regulated policies. "

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.