Compliance Hindsight: What Organizations Have Learned from Early Compliance Approaches

By Pamela Fredericks

and Evan Tegethoff

The escalating number of regulations with a clear information security impact has finally put enterprises on notice: information security is part of business risk and can no longer be left on the sidelines. Previously, few companies paid much attention to regulatory compliance, their “control infrastructure,” or even information security. Now, however, organizations large and small are racing to assess, test, and document their internal controls for Sarbanes-Oxley, their security and privacy practices for HIPAA, or their basic security safeguards for GLBA, Basel II, Homeland Security, and dozens of other mandates.

In the midst of these time-consuming compliance projects, certain key facts are becoming apparent. Compliance is not an end-game; it is an ongoing effort. Therefore, the lessons learned today are going to be critical in achieving long-term compliance goals.

So, what have we learned?

Compliance is Not about Adding Technology

Organizations have learned that security strategy must be formalized prior to the purchase of technology, because strategy must drive requirements for technology, not the other way around. Many companies have found, upon assessing their security program against many of the regulatory and compliance specifications, that shortcomings tend to be in the areas of policies, standards, and other forms of critical documentation. In addition, effective technology selection requires a comprehensive strategy for information security that is tied to business goals as well as overall regulatory requirements.

Another lesson is that compliance tends to create one of two mindsets: fear or opportunity. Many vendors have used the fear tactic, taking advantage of the generally vague nature of regulations to twist the message to suit the strengths of a particular product or offering. However, compliance means different things to different organizations and industries, and there is no one best product or approach. In fact, any stand-alone compliance solution should be regarded with skepticism. Likewise, short-term panic can dramatically increase the cost of compliance and lead to responses that fail to provide long-term returns.

When thought of as an opportunity for improvement, however, compliance can lead to a more reasoned preliminary step, namely performance of a thorough risk and security controls assessment. This type of assessment is critical in building a strong security foundation, because it exposes the need for policies, processes, and other forms of documentation, and properly places technology as subservient to these.

In aligning with regulations, organizations are finding it is important to focus on the core business applications first. For IT, this means looking at everything from the perimeter network through to the internal network, the applications and databases, and the state of security processes and procedures. Such a review identifies specific areas in the control structure that need attention, and where to go from there.

Compliance is ultimately about doing many things that are common sense; technical controls are only one aspect of the overall information security program. Too many new technologies and disjointed IT systems do not support corporate integrity. Rather than spending erratically, develop a strategy and program based on governance, standards, and policies, and then purchase technology that supports those principles.

This reasoned strategy is also valuable in that it typically is viewed by regulators and auditors as confirmation that compliance is being addressed seriously and effectively. For instance, the PCAOB (Public Company Accounting Oversight Board) indicated in the proposed Sarbanes-Oxley auditing standard that a natural starting place for the audit of internal controls is an evaluation of an organization’s own self-assessment.

A Framework is Critical

It is quickly being learned that frameworks for information security controls are very useful in compliance efforts. Organizations are converging on a number of key standards and frameworks in order to avoid recreating the wheel and to increase confidence that the results of their efforts will stand up to external scrutiny.

The U.S. Sarbanes-Oxley Act and similar legislation worldwide have been key drivers toward standards and frameworks. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework that is the base for Sarbanes-Oxley Section 404 controls has, in fact, been available for over a decade. Standards such as ISO-17799, COBIT and others, which have also been available for a number of years, are gaining popularity both because some regulations explicitly state that programs must be based on them and because of their inherent usefulness. A framework based on industry-accepted good practice can create a basic skeleton upon which to build a program. With a framework, an organization can be confident that their planning does not overlook any security domains.

Internal controls are not one-size-fits-all, but, rather, are dependent upon the size and complexity of the company. A framework tailored specifically to an organization will more accurately represent logical objectives for information security. Pre-existing frameworks, however, are fairly generic. Furthermore, a single framework used in compliance efforts may lack enough detail in one sphere or another, such as IT, security, or industry requirements. Several groups (the IT Governance Institute, the COBIT Steering Committee, and others) have mapped together multiple frameworks in an attempt to integrate and obtain a more global view of security requirements. Organizations have also found it useful to map together a number of frameworks with the actual regulations that impact them. This ensures that the overall goal is inclusive of the requirements for compliance, without being myopic in approach.

Information security programs that take their guidance from standards will streamline efforts to comply with future regulations. They increase the likelihood that updates will be incremental, rather than large-scale efforts toward each new regulatory challenge. The aim of such programs should be to become “compliance-ready” as opposed to “compliance-reactive.”

Auditors Have Become More Sophisticated

Increased regulation has put everyone on their toes, including, in many cases, the internal and external auditors. Gone are the days when, with a fair degree of reliance, one could be assured that audit recommendations would be a few steps behind reality. Compliance efforts have required the audit profession to become more sophisticated in its approach. In many ways, auditors now set both the criteria and the measurement standard for the companies they review. There is not absolute agreement as to what these criteria are. Therefore, here again, an information security program based on standards is the most effective strategy.

The first Sarbanes-Oxley audits are in the planning stages. Their outcomes will depend on how strict external auditors are in what they define as material weaknesses in the control program. The law itself looks only for “reasonable assurance” that there are no internal control weaknesses. The auditor will look for potential vulnerabilities, future impact, and the compensating controls that are in place. Often, the fact that a security program is based on standards will score points with an auditor for reflecting a good faith effort. In addition, a standards-based approach to information security strategy can establish a shared perspective between auditors and the organization being audited that expedites the fact-finding phases and decreases the overall audit duration.

Information Security Requires Dedicated Responsibility

Companies are discovering that the days when information security could be a small component of a busy IT director’s overall responsibilities are rapidly fading. The HIPAA Privacy Rule mandates that a privacy official be appointed in health care organizations to oversee and manage the use and disclosure practices of protected health information. Similarly, HIPAA’s security standard also requires that responsibility for security be formally assigned. As of now, this assignment need not be to someone dedicated full-time to the role, but it must rest entirely with one individual. For those still wearing multiple hats, the onus to ensure adequate security compliance will increase the time required to manage the function. As such, it will likely eliminate many part-time security practitioners.

The adoption of frameworks and standards and a new appreciation of the many pieces involved can open the eyes of the organization that previously treated security as a low-maintenance function. The time and care necessary to support security can either be viewed as a nuisance or as an opportunity to improve the way the security controls are handled, build customer trust, and maintain shareholder value. Acceptance of accountability and responsibility are now fundamental to many compliance requirements, with penalties tied to each responsible party.

Ultimately, the lesson learned for information security is the absolute necessity of dedicating enough resources to do the job. Once information security has been adequately scoped, and the appointed individual becomes the focal point for compliance, it is essential that a team be built for ongoing support. Like security, compliance is a continuous process, not a one-time event. Risk management requirements are certain to become even more rigorous.

Compliance is Merging Business and Security Goals

Motivated by Homeland Security directives and industry alliances, the Corporate Governance Task Force issued its call to action for information security governance (ISG) in April of this year. The Task Force’s recommendations challenged industry, non-profits, and educational institutions to integrate information security into their corporate governance policies and management. Through the ISG framework and assessment tools provided in their report, organizations can integrate information security into their corporate governance programs. Security governance is built upon having the proper people, policies, and overall control structures to create an environment that ensures the confidentiality, integrity, and availability of critical information. The boundaries between business objectives and security objectives are disappearing.

As noted, much of what must be done to satisfy compliance objectives is common sense. What we have learned after a few years of regulatory focus comes down to the basics:

• Assess your environment carefully
• Focus on the security controls surrounding core business systems
• Assess your risk
• Document your security program
• Apply technology judiciously, based on your evaluations
• Adopt one or more frameworks to streamline and standardize the process
• Ensure alignment with audit criteria
• Ensure that sufficient resources are in place to manage security

This approach will help to bring business and security risk into alignment.

Ultimately, the security program needs to be guided by and aligned with the objectives of the business. It is fundamentally the only way that the discipline will grow past a purely technical one. Traditionally, this has been an enormous struggle, due to lack of high-level management support; but compliance has created a focus and an opportunity where once there was none.

Sources:

Sarbanes-Oxley Vendor Evaluation Framework, Gartner Inc., October 8, 2003.

PCAOB Briefing Paper, Proposed Auditing Standard – An Audit of Internal Control Over Financial Reporting, October 7, 2003.

Alles, Kogan, Vasarhelyi, The Law of Unintended Consequences?, Information Systems Control, Volume 1, 2004.

Heschl, COBIT in Relation to Other International Standards, Information Systems Control, Volume 4, 2004.

National Cyber Security Summit Task Force, Information Security Governance, Corporate Governance Report, April, 2004. http://www.cyberpartnership.org/