|
Cyber Talk
A conversation with Marc van Zadelhoff, the Vice President of Business Development of Consul Risk Management
 ITSS: What’s the current state of regulations that companies need to meet?
van Zadelhoff: The whole regulatory environment has gotten a lot more serious. Regulations give auditors teeth, and the teeth have arrived.
The current state of regulations is confusing, specifically because most companies must deal with multiple regulations at the same time. For example, a U.K. bank must comply with the Singapore privacy law because it houses Singapore citizen data in London and Singapore. A U.S. retailer must comply with SOX, since it’s a public company; HIPAA, since it has pharmacies; the Payment Card Industry (PCI) Data Security Standard, since it processes credit card transactions; and GLBA, since it has a financial services arm. Each regulation has different reporting needs and the report deadlines are at various times of the year.
Organizations have passed or are trying to pass their first audits. It is an arduous and time-consuming process. They want automated tools and an automated audit framework. It is not that businesses are ignoring security and privacy regulations, but in many cases, they do not fully understand them or do not realize they are out of compliance until an auditor threatens fines or worse, if requirements are not met.
ITSS: How do companies translate a complex regulation into a task oriented compliance process?
van Zadelhoff: First a company must set up an audit and compliance task force that will select a standard to help them check off many requirements. For example, ISO 17799, CoBit and NIST are three of the best set of standards for security. The company will then customize compliance for each area from that standard. So, when auditing day comes, the task force will say, “We use ISO 17799, Mr. Audit, and let me show you how we applied those standards to the financial servers that this regulation applies to.”
ITSS: How do companies tackle the challenge of having to comply with multiple regulations?
van Zadelhoff: Complying with multiple regulations is the way of the business world today. Between GLBA, SOX, HIPAA, PCI and others organizations are finding it increasingly difficult to manage them all.
The best approach to complying with multiple regulations is to assess the similarities and differences among them. Instead of approaching regulations as separate sets of rules to adhere to, look for a common approach to complying with multiple sets of overlapping regulations. One requirement found across many regulations is monitoring user behavior, access and changes, which can be done by collecting and analyzing the security logs.
Log management is an exhaustive activity. With multiple and heterogeneous systems creating millions of logs per day, it is impossible to complete. Organizations require an automated way to collect and centralize security log data from heterogeneous sources; filter the collected information against security policy; automatically trigger the appropriate actions and alerts upon detecting suspicious activities; archive the normalized log data for forensic review; and provide a consolidated view and reports through a central dashboard to understand what users are doing with data.
ITSS: How does an organization approach compliance from an internal policy standpoint vs. an external regulatory one?
van Zadelhoff: With the introduction of the Internet, intranets and extranets, the borders of the network are dotted. As such it is important to let the external regulations modify the internal policies. By making them one and the same, an organization can meet both sets of needs. Organizations have enough to worry about with one set of standards. Then they can assign standards to the entire set of policies by which to perform an audit and ensure compliance. The regulations are very high level. It’s up to security vendors to help customers make them part of their best practice.
ITSS: How can auditing help companies meet corporate security policies and government regulatory compliance requirements?
van Zadelhoff: Today, audits are more frequent, more information is required and reports must be real time. You must continuously measure and report whether the people, processes, information, and IT systems are operating and being used in accordance with security policy and regulatory requirements. Meanwhile, there is a business to run.
The proliferation of regulations requires corporations to ensure the integrity and security of corporate data. With IT auditing, organizations can establish accountability for information access through which they can quickly align the reality of their business operations with their information protection requirements.
Proper auditing will help not only with compliance, but if done well, also business valuable initiatives. So, companies should use it to their advantage to improve business performance. For example, having an IT audit in order helps:
-Meet legal requirements
-Monitor user behavior & gain transparency without hindering business:
-Protect intellectual property
-Manage and mitigate risk and performance
-Establish and enforce accountability
ITSS: Upon achieving compliance, can organizations stop there? What are the next steps?
van Zadelhoff: No, compliance is an evolving process. Just because you are compliant today, does not mean that you will be compliant tomorrow. Compliance happens one audit at a time, and audits don’t stop. Someone told me a story the other day about the CFO who wanted an extra desk in his office because there was always an auditor visiting. Organizations must continuously monitor the people, processes, systems and information within their environment to maintain ongoing compliance. The goal is continuous compliance, and that only happens when it’s automated.
ITSS: What do you foresee as the next wave for regulatory compliance?
van Zadelhoff: The next wave for regulatory compliance is to establish an Operational Risk Management (ORM) framework. To meet corporate governance regulations an enterprise must implement a framework for identifying and managing risk. The vision of ORM is to optimize the performance of a business by understanding the effects of adverse operational losses on the business activities and assets so that organizations can insure against them by preparing for that "rainy day.”
In the U.S., the number one factor accelerating development of ORM as a field is the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Government created SOX to provide better information to investors. The word “information” is critical as it focuses on the responsibility of corporate management and the evaluation of that management performance through an internal control framework.
Risk is inherent in all organizations. Organizations can mitigate risk while maximizing the business performance throughout the organization by implementing ORM. The ORM vision is to create an environment where all personnel manage operational risk, and all strategic objectives are completed at the least possible cost to the organization. ORM raises the bar—a compliance culture is no longer acceptable.
<< Previous Page
|
