Security and compliance issues will continue to dominate IT initiatives as long as valuable data on customers, employees, patients and business financials is exchanged and stored. Historically, security teams focused on protecting sensitive data, and compliance teams focused on controlling its usage. These disciplines are actually two sides of the same coin. Regulations and mandates worldwide are validating this viewpoint, requiring security and compliance teams to work together. While this challenges many organizations, the advantages of an integrated approach include reduced costs, improved efficiencies, robust security and compliant controls.
Multiple Regulations and Mandates
A growing number of mandates complicate matters. The U.S. has have Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI), California Senate Bill 1386 (CA SB 1386), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and other. Mandates in Europe include PCI as well as the European Data Protection Directive (DPD) and the Basel Capital Accord (Basel II).
In certain mandates and in some parts of PCI, compliance requirements are vague. The process of interpreting requirements against a unique IT infrastructure presents a daunting project. In this article, I will use PCI as an example to provide guidance across a range of regulations and industry mandates.
Protection and Control of Sensitive Data
Organizations must protect sensitive data and ensure that all access to and usage of sensitive information is controlled. In PCI, sensitive data includes credit card information, while in others the list includes digital identity data, personal health records, employee records and business financials. PCI states that companies must “protect cardholder data” and that “logging mechanisms and the ability to track user activities are critical.” Section 10.3 describes required audit trail entries. Section 10.5 requires organizations to “secure audit trails so they cannot be altered.” This data is often accessed through enterprise resource planning (ERP), customer relationship management (CRM), e-commerce and applications. Thus, many regulations and mandates address multiple tiers of IT infrastructure, from the database through the application to the Web interface.
Application Data Security and Compliance Lifecycle
As regulations proliferate, a split approach to IT security and regulatory compliance won’t work. Organizations need a more rational and efficient mechanism to meet multiple requirements across both security and compliance. With a sound process, it is possible to meet multiple mandates. The following application data security and compliance lifecycle offers a simple four-step approach.
Figure 1: The Four Steps of the Application Data Security and Compliance Lifecycle
Step 1: Discover and assess. First, find systems that store sensitive data and conduct a thorough risk assessment of those systems. From a security perspective, organizations must find configuration problems that create or fail to close vectors for attack. From a compliance perspective, they must find configuration problems that undermine systems integrity, which is essential for policy creation and the setting of data usage controls. PCI requirement 2 warns against using “vendor-supplied defaults for system passwords and other security parameters” to ensure that systems have no back-door vulnerabilities that could be used to bypass security or auditing and logging functions and controls.
In conjunction with this exercise, organizations need to identify which users normally access sensitive data and how they need to do so. Requirement 7 of PCI requires businesses to “Limit access to computing resources and cardholder information only to those individuals whose job requires such access.” This information is necessary to understand the baseline of legitimate behavior in order to create policies and controls around that baseline.
Be the first to comment on this post using the section below.