SOX. GLBA. HIPAA. PCI. FFIEC. HSPD-12. FIPS 140. If you're dealing with any of these regulations in your IT security job, you know the pain of compliance projects. And chances are you're dealing with more than one of these regs.
More and more security groups -- particularly those in large enterprises -- are finding that they're working on simultaneous, often overlapping projects that come from multiple project teams working on different compliance initiatives.
"If you're a public company, you're dealing with [Sarbanes Oxley]. And I would say 30 to 40 percent of the enterprises we work with are dealing with at least one more set of regulations," says Marne Gordan, director of regulatory affairs at Cybertrust, which offers security consulting service for many Fortune 1000 companies. "Sometimes it's more. And we're not even talking about state requirements, such as data breach notification statutes."
Officials at Accenture and Symantec Security Transformation Services -- a joint organization unveiled by the two companies yesterday -- said the need to eliminate "silos" between compliance projects was a key driver for the partners' venture.
"Enterprises are doing all of their compliance work in silos, and they aren't seeing the commonality between [the projects], particularly in the area of security," says Stephen Barlock, North America security lead at Accenture. "The net result is that their compliance efforts are much too complex."
Enterprises are also finding that the costs of their compliance efforts are rising, not falling, because of the growing number of independent, and sometimes redundant, regulatory efforts, says Mark Perry, vice president of global consulting services at Symantec, who will head the joint venture. "Our studies show that the [compliance] spend has gone up by as much as 100 percent in the last 24 months."
For IT security organizations, the problem is that most of the emerging regulations include some security requirements -- but those requirements differ from regulation to regulation. SOX and the Gramm-Leach-Bliley Act (GLBA) mandate data protection, but don't give any IT specifics. The Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI) standards outline more specific requirements. And in many cases, the security department is dealing with separate project teams for each.
"What enterprises need to do is collapse these compliance silos, look at all the commonalities between the different regulatory requirements, and build an underlying security environment that meets all of the regulations at the same time," says Gordan. "If they don't, they'll end up spending ten times as much as they need to."
Cybertrust, Symantec/Accenture, and other compliance consulting firms are all encouraging enterprises to build a common security framework that will meet the compliance requirements of all of the regulations they might face in the future.
"What we encourage companies to do is build a matrix of the requirements," says Chris Apgar, president of Apgar and Associates LLC, a compliance consulting firm. "On one axis, you put all of the regulations you might have to comply with. On the other axis, you put all of the security elements required by each one."
Once they've built the matrix, an IT security team can see what security requirements they must meet to achieve compliance under each set of regulations, Apgar explains. If they meet the most stringent security requirements on the matrix in each category, the result should be a security platform that meets the compliance mandates of all of them.
"For example, if you look at SOX and GLBA, they don't say much about encryption," Apgar says. "HIPAA and PCI, on the other hand, have some specific requirements. If you meet the most stringent of them, and document it completely, then what you did for HIPAA should keep you compliant with SOX."
Accenture and Symantec are working on a way to automate the process of correlating the security requirements of each regulatory mandate and identifying the most stringent elements, says Accenture's Barlock. "At Accenture, we've been doing this manually for years, and it's a lot of work," he says. "With this joint venture with Symantec in place, though, we think the days of doing this manually are numbered."
The trick is figuring out what to do after you've identified the most stringent requirements, because those capabilities and technologies may also be the most costly to deploy, Apgar observes. "If you want to encrypt email, a $250,000 package from Tumbleweed is a pretty sure thing to pass an audit," he says. "But in some cases, a certified email service that costs $100 per user per year might be enough to meet all of your auditors' requirements."
Depending on the regulations, a good strong password system may be a more cost-effective choice than two-factor authentication. "You want to be in compliance without spending more than you have to," Apgar says.
Documentation is one of the most important factors in surviving a security compliance audit, no matter which regulations are involved, Gordan says. "If you can show how you did it and why, you're going to have an advantage," she advises. "If you base your approach on industry standards like COBIT or ISO 17799 -- or even show them how you're complying with the security requirements of other regulations -- it's harder for the auditor to argue."
The first step in building a cross-regulatory security compliance platform is to get the project teams together, Gordan says. "It's not going to be easy at first, because a lot of these groups have already been working on their projects for a while, and they're going to be convinced that they have the right answer for security." In some cases, there may also be issues with regulations that conflict with each other, but this doesn't usually happen at the security infrastructure level, she adds.
The key is to use what other teams -- or even other companies -- have already done, experts say. "There are a lot of companies out there that have already been through this, so use the knowledge that's out there in the public domain," Apgar advises. "This is one area where there's no advantage in reinventing the wheel."
Tim Wilson, Site Editor, Dark Reading