Regulatory Compliance Tools

Struggling with regulatory compliance? You've got company; these days, many CSOs list compliance as headache number one.

August 01, 2005 — CSO — Accordingly, there's no shortage of compliance tools swimming around in the security marketplace. BindView, Citicus, Consul, Intellitactics and Preventsyssoftware vendors that describe their products in broad variety of categories (risk man-agement, threat analysis, policy tools, security information management and many more)all feature compliance heavily in their marketing materials. There are also vendors focused directly on regulatory issues. Logical Apps makes a product called Compliance for Oracle that enforces controls such as segregation of duties within financial applications so that, for example, the same user cannot access both accounts receivable and accounts payable. Virsa Systems offers a suite called Confident Compliance with a similar module for SAP systems. Even biometrics and identity management vendors are pitching their wares as compliance-focused.

Many users say these tools can help. Codan Forsikring, a Danish insurance company, uses Consul's software to winnow actionable information about system events and user behavior out of lengthy event logs generated by the company's systems. Lars Jorgenson, an information security consultant for Codan, says Consul (which offers multiple modules, each aimed at a particular regulation) also helps document his company's information security controls, and good documentation is a critical part of regulatory compliance audits.

The rub for CSOs lies in finding the right tools for their own particular business. Sharon O'Bryan, a former CISO and now president of O'Bryan Advisory Services, notes that software helpful for one company may be only marginally effective for another, even within the same industry. The fundamental key, O'Bryan says, is to look at the big picture. CSOs should consider information assets "on an end-to-end process" basis (from the time the data is captured, through transmission, processing and storage), then ensure that proper controls are in place to protect the data. Once the controls have been considered, O'Bryan suggests, software tools can be added where they add operational efficiencies, as in the Codan case. But to expect to buy compliance in a box without first examining existing controls is a fool's errand.