Meeting the goal of regulatory compliance means running a tight security ship. When auditors come calling, however, how can you prove that you do? Security managers share their tips on how high tech and plain old communication skills can make the difference between passing and failing.
This is the fourth in a series of stories on key security issues that will be addressed at the Security Standard event scheduled for Sept. 10-11 in Chicago.
Regulatory compliance means getting your organization’s network security, data storage and content-protection practices to conform to relevant laws so that auditors are satisfied and liability is reduced. With so many state and federal regulations, not to mention international ones such as the European Union’s data-privacy rules, how does a security manager prepare for the day when the auditors knock on the door demanding evidence that all’s in order?
Ask Darcy Soleil, a certified IS auditor (CISA) at Ft. Lauderdale, Fla.-based Parker Soleil Consulting, who says she’s usually called in to assist management in assessing the IT controls demanded by regulators under the Sarbanes-Oxley Act (aka SOX).
Her job is to help companies get ready for the external auditors from such firms as Deloitte Touche and Ernst & Young, who will perform the official SOX audits needed to satisfy the Public Company Accounting Oversight Board set up by the U.S. Securities and Exchange Commission (SEC) under SOX.
SOX was passed by Congress five years ago to tighten financial reporting in the wake of accounting scandals, such as the fraud uncovered at Enron that left investors and employees ruined. Section 404 is considered the IT-specific section of SOX, which governs publicly traded companies of a certain size, and will expand this December to include smaller firms, those with revenue of less than $75 million per year. Section 404 asks for evidence of “an internal control framework” related to a company’s process for financial reporting.
“This could apply to the general ledger system, for instance,” Soleil says, noting that the framework regulators want refers to any well-accepted one, such as COSO or COBIT. (COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission, and COBIT stands for Control Objectives for Information and Related Technology, so it’s easy to understand why these process frameworks are seldom mentioned other than by their acronyms.)
As a CISA, Soleil’s visit to a company will start with an examination of its IT processes ranging from change-control systems and in-house coding to how the organization handles identity management and security assessments. She may want to see IT or other department reports dating back three years. “I’ll look at their backup systems or logical access,” she says. “I’ll look for anything that eliminates lack of accountability, such as shared accounts. One of the biggest issues is segregation of duties.”
A process, not a project
Soleil points out that companies benefit when the security manager, the IT department and the business management tackle SOX compliance as “a process, not just a project.” She points out that automated controls — rather than simple, manual ones — can be a plus for a company.
“If I’m looking at a Unix system or an Oracle database, for example, if I know it has an automated process for provisioning, I’ll have to do less testing, and it’s less expensive,” says Soleil, whose customary fee is $100 an hour. She favors automated vulnerability-scanning and “continuous monitoring” because it lowers risk.
The Philadelphia Stock Exchange, broadly regulated by the SEC, uses Grant Thornton LLC as its external auditor and Accume Partners as its internal one, says Bernie Donnelly, the exchange’s vice president of quality assurance. “Accume is the internal auditor and they’re here all the time,” he says, explaining that the stock exchange builds its regulatory compliance around the COBIT framework. “We have a timeline of events, and I’m the liaison.”
About once a month, the IT audit process starts up afresh, examining whether such processes as patch management and vulnerability assessment are in place. Internal auditors are valuable “because you can be so close to a process every day, you can miss a hole that was created,” Donnelly says. “So you need them. I want to know if there’s a problem so it can be fixed.”
Donnelly says auditors seeking to make a determination about compliance often want to know everything they can about an IT project, from the first requirements to the final installation. Automating change-control processes in software can be helpful, he notes, adding that his department has used Serena Software's TeamTrack for application life-cycle management.
Regulatory soup
That’s just SOX, however. There are an almost untold number of other regulations, such as the Gramm-Leach-Bliley Act for financial-data privacy, and California’s Senate Bill 1386, which has had an outsized impact that extends far beyond California in propelling companies to disclose data breaches publicly.
Making the grade in regulatory compliance is something the Fairfax County Public School district in Virginia is expected to do For Ted Davis, the district’s director of enterprise information services, the two regulations that figure most prominently are the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
“FERPA is the primary federal regulation concerning student records, and who has access to these records and can see them,” Davis says. HIPAA is the federal regulation that mandates privacy and security of medical records. HIPAA is relevant to the Fairfax school system because it provides medical assistance — such as therapy and emergency care, when necessary — to the 164,000 students in the county’s 200 schools.
One of the main reasons Fairfax began planning for automated user provisioning and password management five years ago — the $1 million project based on Novell’s identity-manager software began its rollout this spring — was to help meet FERPA and HIPAA requirements for data privacy, access control and auditing. “This should reduce our risks and be much more manageable and less cumbersome than our old, manual system,” Davis says.
HIPAA is a top concern for Mike Lecuyer, enterprise network systems and security systems compliance engineer at insurance provider Blue Cross Blue Shield of Massachusetts. “Some of the compliance called for in HIPAA is vague, but you need certain controls, such as audit controls,” Lecuyer says. He adds that he favors automating compliance reports and monitoring where it seems feasible, and to that end his organization’s servers run software-based access-control templates from NetIQ that monitor for password changes and enforce the access controls called for by HIPAA. “I think you’ve got to automate this,” Lecuyer says.
Try something new
Many banks say they’ve been spurred to make certain security changes because of regulation, particularly the Authentication in a Banking Environment guidelines that took effect this year. The guidelines were issued by the Federal Financial Institution Examination Council (FFIEC), a multiagency group representing the Federal Reserve System, the Federal Deposit Insurance Corporation and other institutions. They which compel banks to use more than just simple passwords in online banking and funds transfer for customers. The FFIEC is giving banks leeway this year to try a variety of approaches.
To meet this new regulatory demand, Evansville, Ill.-based Old National Banc, a $8.2 billion bank with online banking services, has distributed Vasco Data Security's dynamic-password tokens to business customers for two-factor authentication. Old National also has added Corillian Security's Intelligent Authentication service for identifying online customers through combined factors, such as IP address, time of day and browser setting. It also offers users an authentication of the validity of the bank’s site through a visual-identification process.
These changes were carried out largely “to meet the FFIEC guidelines,” says Becky Sandgren, assistant vice president and senior project manager in the bank’s e-business division.
In some instances, the use of technology products and services is strictly overseen by government regulators in the United States and abroad, who set standards for data-usage, storage and transfer policies. At airline carrier Air Canada, for example, Canada’s data-privacy regulations prohibit storing airport public-area camera feeds, although camera feeds in private facilities can be stored, says Thor Hoff, IT infrastructure project manager at Air Canada’s Toronto operations center. “Any video monitoring in public areas is always done in real time,” says Hoff. “We have to follow government regulations.”