The bad news about compliance for IT infrastructure is - wait, you already know the bad news.
The good news is there are efficient ways to deal with compliance - ways that will send multiple benefits rippling through your organization. You'll save money, become more efficient and benefit from a more-secure network all while simultaneously becoming better equipped to deal with some of the most complex alphabet-soup issues of the day, including HIPAA SOX, Part 21 CFR and the ITIL standards, to name a few.
The key is network configuration management.
Network configuration management centralizes information about your networks, automates the deployment of device configuration updates, tracks all changes to configurations and hardware, and provides an auditable trail of everything done to your network devices, approved or not. Now you're starting to see how network configuration management can be a valued compliance tool.
Simply put, proper configuration management is a core element in maintaining compliance. You have to get down to the device level to garner compliance. What does my network infrastructure look like? What devices do I have out there, and how is each device configured? What are my standards for secure configurations and are my devices up to my standards? Do I know who has access to change my infrastructure and can I track all changes? Can I demonstrate compliance when the auditors come to visit without disrupting my entire staff? These are the critical questions you must answer to be in compliance.
Look at it this way: If an organization can't quickly deploy security patches, roll out new passwords, update its access control lists and make other changes, the security of the network could be unnecessarily compromised. Network configuration management streamlines and automates this entire deployment process - turning what can consume days or weeks into a job that takes minutes.
Additionally, network configuration management takes a proactive approach. A good solution informs IT of unauthorized configuration changes, alerts appropriate systems and people. This enables identification of the change and allows you to roll back the device to its previous configuration state and deploy whatever updates are necessary to block future unauthorized access. It automatically checks all changes to network devices against standards both before and after deployment to insure that devices stay correctly configured. The system should provide an overall solution for defining and centralizing management processes and enforcing those processes while increasing, rather than decreasing efficiency.
This article isn't meant as a complete guide to complying with HIPAA, SOX and the rest. Rather, it is an explanation of why it is smart for organizations to tap into one significant piece of the puzzle: network configuration management.
The Word on HIPAA
The Health Insurance Portability and Accountability Act is a sweeping piece of federal legislation with wide implications for the entire medical industry. Among its mandates are security standards and administrative safeguards for confidential patient information. These standards dictate that data must be stored and transmitted safely. More good news: helping to secure the network infrastructure that transmits that protected data is a large part of what network configuration management does.
Think of network configuration management as an additional layer among your multiple layers of security - it being the one that helps simplify, codify and accelerate the others. This is a fundamental need when it comes to HIPAA.
HIPAA is something of a blessing because it forces companies to dig well beyond the core healthcare applications to look at the devices being used to transfer that data from application to application. Who can access your application servers? Can you control who has access? Do you know if they are configured appropriately? Can you prove it?
A good network configuration management solution provides IT professionals with the means to define HIPAA-compliant device configuration templates and to automatically conduct compliance tests on a regular basis. It gives network managers the scalability to deal with secure technologies like encrypted tunnels for secure communication. The benefits are twofold: HIPAA policies are easily updated and constantly validated with minimal time and effort, and operators have more time to focus on strategic projects that will have a positive impact on the business.
Wearing SOX Proudly
Public companies have to be particularly careful with Sarbanes-Oxley, but even privately held companies should be paying attention because they don't operate in a financial vacuum. The primary issue here is that CFOs and/or CEOs are responsible for the integrity of the financial information. There is no way to assure that information without being in complete control of the IT system. Security policies must be maintained - and there must be proof that those policies are being maintained.
A central need, whatever the compliance challenge du jour, is the ability to prove that networks are not just compliant today, but that they were compliant and configured properly at any date in the past. A good configuration management solution makes this task easy and fast. Doing it manually could paralyze your IT department for weeks.
Were you in compliance last October 20? Was your infrastructure configured properly on that day? Without a network configuration management solution the only truthful answer would be, "I don't know?" With the right solution you can pull the configuration profile of the network on that date, run it against the compliance standards and validate that you were in compliance.
It is really about managing standards, not devices. A good configuration management solution allows organizations to define standards and then ensure that they are in alignment with compliance requirements. Compliance really comes down to managing your infrastructure through best practices. As a result you don't just get easier compliance, you get better network security, better availability and a better-running, more efficient organization.
Yes and 21CFR, Too
The FDA's guidelines for electronic records, otherwise known as 21 CFR Part 11, require organizations to employ procedures and controls ensuring the authenticity of electronic records. This is aimed at ensuring that signers cannot readily repudiate signed records. To satisfy this requirement companies must, among other things, employ procedures and controls that include the use of computer-generated time stamps.
There's more to this than first meets the eye. You must also consider the compliance requirements for the networks you use to transmit those electronic records. It is right there in the regulation: In order to be compliant your networks must "ensure the authenticity, integrity and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt." You must also document the components of the network - routers, switches and firewalls, for example, and document any changes made to them in an auditable manner. Examples of device changes that need to be documented include new versions of firmware and software, the addition of new network elements and software upgrades, fixes and/or service packs.
Helping You Plan and Prepare
By going through a detailed planning process, a company defines the security policies, access privileges, password requirements, maintenance updates, traffic flow and other details required to secure the network. There is no other way. Defining and implementing the right security strategy and policies is the foundation. A solid security strategy must also include the means by which to cost-efficiently monitor and detect network vulnerabilities and deploy device configuration changes to address those vulnerabilities throughout an organization. Network configuration management is a cost-effective tool in all these endeavors.
The traditional approach to configuring network devices has been a disorganized mix of manual processes, homegrown tools or vendor specific applications. This path is people-intensive and prone to error. It leads to weak security and very often non-existent documentation of the network and its change history. What's needed is a comprehensive software solution that enforces consistent security across your entire network and automates the documentation of your network. What is needed, in other words, is a good network configuration management solution.
With a solution in place to track, audit and validate compliance with stringent government regulations, your organization is better off all the way around. You can define and enforce configuration standards and conduct compliance audits in a completely automated fashion. You always have a complete digital audit trail of changes made throughout the enterprise. You know when network configurations violate corporate standards and whether violations occur from an internal error or from a malicious intrusion from the outside.
You're no longer guessing and hoping.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access