Compliance hogs security pros’ attention

One out of every two IT security professionals spends 50% of the work week on regulatory compliance initiatives, according to a new survey.

2010’s biggest security SNAFUs

Meeting regulatory compliance objectives such as the Payment Card Industry (PCI) guidelines, Sarbanes-Oxley (SOX) and healthcare-related mandates is time consuming, according to the results of the “2010 Vulnerability and Management Trends Report,” which polled more than 1,900 IT security professionals  and is sponsored by eEye Digital Security.

The considerable amount of time that security professionals may spend meeting regulatory compliance goals doesn’t surprise Dave Wiseman, director of information security and business continuity at St. Luke’s Health System in Kansas City, Missouri. That regulatory compliance takes up to 50% of work time “is probably pretty accurate,” Wiseman says. PCI, SOX and healthcare’s HIPAA and HITECH Act are among the regulatory requirements that the hospital system must meet, he adds.

One compliance task for the healthcare organization involves log management, and to that end St. Luke’s deployed LogRhythm’s centralized log management product to correlate log data and security alerts from a variety of security gear. This lets St. Luke’s establish a security dashboard for the staff’s general use, and “we also use this for server management, to see when services unexpectedly stop,” Wiseman adds.

Among other findings in the “2010 Vulnerability and Management Trends Report,” 73% of survey respondents said their organizations have as many as 100 applications deployed, and 64% said Microsoft applications account for up to 75% of their organization’s deployed applications.

Microsoft applications “continue to place the most impact on organizations when it comes to security, regulatory compliance and configuration management,” the report states. (See also: 10 free Microsoft applications for IT and home users)

In a related announcement, eEye Digital Security said it has updated its Retina CS Management Console 2.0 for vulnerability management of Windows-based machines to include regulatory-reporting packages for SOX, PCI and FISMA, and tools for baseline configuration as well as patch-management analysis.

“A year ago, we started heavily investing our engineering efforts on this,” says Marc Maiffret, co-founder and chief technology officer at eEye., about the newly-released CS Management Console 2.0 that works with eEye scanners.

“These are advanced reporting analytics,” Maiffret says, which will allow Retina CS Management Console 2.0 to look at a wide variety of configuration and compliance definitions in order to check whether Windows-based machines adhere to various requirements. One example is Security Control Automation Protocol (SCAP), which is required by the federal government in its Federal Desktop Core Configuration mandate.

Read more about wide area network in Network World’s Wide Area Network section.