Skip Links

7 ways to work around security compliance problems

By Bob Violino, CSO
January 06, 2014 01:06 PM ET

CSO - Regulations aimed at protecting the security and privacy of organizations and individuals are well meaning. But sometimes these standards, or how they're interpreted, can be more than a nuisance--they can actually contribute to weaker security.

[Thinking outside the IT audit (check)box]

Here are few examples, from security executives and analysts, of internal and external compliance standards that are potentially problematic, and how they can be addressed so that they don't cause problems while they're trying to provide solutions.

Encryption and HIPAA

Many organizations and security executives are under the mistaken impression that compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires encryption, and this can actually lead to security problems, says Paul Proctor, vice president and distinguished analyst at Gartner Inc.

In fact, HIPAA requires the appropriate use of encryption, which is quite a different standard and can mean the difference of millions of dollars, Proctor says. Aside from the overspending of time and energy on encryption, the misunderstanding related to HIPAA can have a negative impact on certain business processes, affect application performance and even cause users to bypass certain controls because they're annoyed at security, he says.

Decisions such as over-encrypting data "tend to have a ripple effect, of which lowering security is only one," Proctor says. "The answer is to develop a risk management process that allows thoughtful consideration of what you should do" to be compliant with regulations. "Organizations can make poor decisions if they don't have a formal risk management process--and most don't."

Password-Protected PDFs

Sometimes the regulatory environment has companies spending money on tools that aren't effective, and makes life more difficult for customers. When Tony Hildesheim, now senior vice president of IT at Redwood Credit Union, was working at another organization, internal regulations mandated that no account information be printed on any document.

"This also required that if you emailed a customer information, it had to be in a password-protected PDF," Hildesheim says.

This caused multiple problems. "Many financial institutions truncate the account number so that the whole number is not printed on any material," Hildesheim says. "Without an account number present on a piece of paper, it is hard to help the customer, many of whom no longer can tell you their account number."

[GRC: Trying to take the bite out of risk]

The other issue is that with the company's email scanning solution, it was having a difficult time scanning the password-protected PDF. "Therefore, the security measure we put in place to ensure no data [such as credit card numbers] is emailed out of the company is rendered useless because the system cannot break into a PDF," Hildesheim says. "We had to change the procedure, train the staff and fight with the audit department."

Regulations "are often written in response to a very specific or perceived risk that may or may no longer exist, has other mitigations or whose likelihood is so remote that it is a non-threat," Hildesheim says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News