|
The past several years have been challenging for IT and security professionals largely due to the impact of ever-evolving compliance requirements and the increasing emphasis on industry standards. Whether it is the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), or one of the many state security privacy laws, best practices and frameworks such as ISO 17799, the Information Technology Infrastructure Library (ITIL), or COBIT (Control Objectives for Information and related Technologies), every enterprise regardless of size or industry has felt the effects of security and privacy-related regulations.
As CIOs, CSOs, CISOs and others rail against the numerous regulatory compliance mandates plaguing the corporate world, they need to consider two points. First, if organizations were better at protecting vital information such as medical records, social security and credit card numbers, then compliance regulations might not be necessary. And second, passing a compliance audit isn’t the end game – securing networks to safeguard data is the primary goal; compliance is simply a way of instilling controls to test that security.
While compliance standards and deadlines must be met, enterprises need to be more strategic in their deployment of security safeguards. It is not simply about deploying one more firewall just to meet a certain regulation. Instead it is a need to assure corporate governance across the organization. In their efforts to meet the myriad of evolving industry and federal regulations, organizations have spent heavily on putting controls in place to help aid compliance. But are these controls well balanced?
Balancing People, Technology and Process
To manage ever-increasing regulations and best practices, many organizations are implementing standards-based information security and compliance programs. For programs of this nature to be effective, businesses must execute the right balance of controls across three major categories – people, technology and process.
Security controls in the ‘people’ category are primarily related to the organizational structure of the security program, including the staff assigned and the tasks being performed. While technology security controls are a critical component of any security program, people develop the policies and procedures that are implemented within the technology. People investigate security alerts. People validate requests for user accounts. People make decisions about risk management.
Similarly, policies and procedures make up the ‘process’ component of an effective security program. They convey what can and cannot be done with information and technology. They reflect the company’s risk tolerance and mandate compliance requirements. Policies and procedures are created by people and implemented in technology as part of the overall security process. Without these, the security program is incomplete and unbalanced.
By far, the most popular and best understood part of any security program is the ‘technology’ component. Organizations have proven that they are very good at deploying security technologies and making them work in their environments. Firewalls, antivirus software, intrusion detection / prevention systems (IDS/IPS) and encryption are examples of security technologies that most organizations implement. However, many organizations tend to think that if they deploy “enough” technology, they will be able to adequately manage security risks, and this is not necessarily the case. Corporations that have numerous technologies implemented typically lack the staff, policies and procedures required for effective management. The end result is an unbalanced security program – one that is technology-heavy, but lacks the appropriate people and process elements.
When all three components of a security program are balanced and operating efficiently, it is more likely business IT risks are being sufficiently managed and compliance requirements met. However, when people, technology and process are unbalanced, the organization may have a false sense of security, believing they are effectively managing risk and in compliance with regulations when that is not necessarily the case. Unfortunately, many organizations find themselves in this compromising position quite often.
Meeting Multiple Compliance Mandates
Security compliance is a complex and convoluted arena, especially when one considers the sheer number of requirements and standards every company is required to implement. For example, a multi-national, publicly-traded organization that accepts credit card payments and has a self-administered health plan would, at a minimum, be required to comply with SOX, HIPAA and PCI, as well as all state and international laws that impact security and data privacy.
Enforcing multiple regulations has caused organizations to take a “knee jerk” approach to compliance. Organizations that focus on compliance instead of security continually deploy technology – some of which may prove incompatible – simply to meet specific audit deadlines. This short-sighted approach contributes to the imbalance between people, process and technology.
Knowledge is Power: Next-Generation SIM is Knowledge
Before money is spent on yet another firewall, organizations should look at allocating budget to more comprehensive IT security management tools that help to better manage the compliance and audit process. While application-specific management consoles may do a fine job of monitoring and reporting on the specific technology they are designed for, they fail to offer a broader view of the IT enterprise. They don’t collect and correlate data from multiple technologies, making compliance management a manual, time-consuming and costly process.
Enter next-generation Security Information Management (SIM). The recent evolution of SIM marks the growing realization that in order to truly manage IT security, risk and compliance across the enterprise tools must move beyond log management. By combining log data with vulnerability, configuration, asset, performance and NetFlow analytics, organizations benefit from an integrated data model that extends beyond traditional SIM to offer enterprise-wide visibility across network, system and application layers.
This approach provides end-to-end correlation and policy management that enables organizations to quickly identify, understand and remediate problems before business is impacted. Additionally, role-based access and at-a-glance dashboards enable users to customize views and create compliance-specific reports to meet specific requirements. This allows organizations to cut through the complexities of managing the risk associated with today’s evolving mandates while providing the infrastructure to meet tomorrow’s regulations.
In addition to helping enterprises comply with regulations and industry best practices, next-generation SIM solutions provide clear insight into the overall health of the security environment and encourage collaboration between the Network Operations Center, Security Operations Center and compliance groups.
Conclusion
Regulatory compliance and industry best practice standards are here to stay. Perhaps someday, organizations will be secure and compliance regulations will no longer be necessary, but until that day, organizations of all sizes and across all industries need to take a more strategic approach to security and compliance management. The first step is to create a balance between people, technology and processes by deploying more comprehensive security management tools. The second step is to derive more knowledge from these tools to ensure organizations are not only effectively safeguarding data but also have effective controls in place to test compliance.
While simply deploying technology for its own sake is not the answer, next-generation SIM tools are an organization’s best resource for providing the necessary broad insight and visibility across the enterprise. Such tools enable organizations to not only meet important compliance mandates, but also greatly improve data and network security by integrating multiple, traditionally disparate IT silos into a single enterprise-wide security, risk and compliance management solution.
About the Author:
Rob Aragao is director of security engineering and services for eIQnetworks. With over 10 years in the security and software industries, Aragao is currently charged with driving the security and compliance strategy for eIQ's entire product line.
Go Back
|
