IT Compliance Advisor


March 11, 2011  8:33 PM

Survey: Cloud computing puts IT at the forefront of business strategy



Posted by: Ben Cole
cloud compliance, Cloud computing, cloud strategy, cloud-based services

There is no doubt that cloud use is expanding, and its influence is starting to rear its head across several industries. For example, at a recent energy conference Microsoft CEO Steve Ballmer said a partnership with Baker Hughes using cloud computing has enabled the oil firm to reduce oil well flows from nine months to 30 days.

Now, a CA Inc.-sponsored survey of 200 IT managers in the U.S. and Europe indicates that cloud computing may also be elevating IT’s role in business strategy. More than half (54%) of the respondents said that while the current value of IT is largely defined by its role as owner and operator of the IT infrastructure, they believe that within two years the primary value of IT will come from managing the IT supply chain. Fifty percent of those surveyed said that an increase in cloud-based services, particularly those that were formerly managed in-house, has contributed to this evolution.

Survey results also showed that IT professionals believe cloud computing accelerates agility (63%), innovation (58%) and collaboration with the business (57%). Respondents also predicted cloud computing will boost IT productivity (55%) and decrease the level of staff time/resources dedicated to IT support (40%).

Additional findings from the study include:

  • 60% of respondents said demand for personnel with expertise in cloud computing has increased in the last five years, and 63% expect demand to grow over the next two years.
  • 72% said their IT organizations are focusing more time on managing outsourced IT or cloud services providers now versus five years ago, including more time spent on vendor management.
  • Nearly 70% of respondents agree that an increasing number of CIOs and senior IT staff will have a business (as opposed to a technology) background in the future.

Respondents also anticipated new IT titles dedicated to cloud computing and cloud vendor management will emerge due to these trends. Predictions of what these new titles might be included cloud architect, cloud service manager, cloud integration specialist/expert, cloud security manager/engineer, director of cloud infrastructure and executive vice president of cloud technologies.

If these predictions about the expanding influence of cloud computing come to fruition, these positions will be needed to ensure a sound cloud strategy. Staying compliant in the cloud is another concern. But as we’ve examined in recent weeks, by taking an active interest and doing your homework on vendors, applying effective security solutions and being aware of public cloud risks, it is possible to stay prepared for being more active in the cloud. The proactive approach will pay off in the end, especially if the cloud continues its expansion — and influence on IT operations.

February 25, 2011  3:36 PM

Are information security professionals prepared for security threats?



Posted by: Ben Cole
cybersecurity training, information security professionals

It’s no secret that the threat of cyberattack is more potent than ever. Companies need to be on guard to maintain online security for their employees and customers — but are IT staffs prepared for the increased threat potential?

A new study says maybe not.

The study, from Frost & Sullivan, is based on a survey of more than 10,000 information security professionals. It found that new threats — created by the increased use of mobile devices, cloud computing, social networking and insecure applications, as well as by added responsibilities, such as addressing the security concerns of customers — have led to “information security professionals being stretched thin.”

The information security professionals surveyed said they need better training and that many technologies already are being deployed without security in mind. In addition, nearly two-thirds of the respondents did not expect to see any increase in their budget for information security personnel and cybersecurity training in 2011.

Other key findings from the study include:

  • As of 2010, there are an estimated 2.28 million information security professionals worldwide. Demand for professionals is expected to increase to nearly 4.2 million by 2015.
  • Application vulnerabilities are ranked by 72% of respondents as the No. 1 threat to organizations.
  • Nearly 70% of respondents reported having policies and technology in place to meet the security challenges of mobile devices, yet respondents still ranked mobile devices second on the list of highest concerns.
  • More than 50% of respondents reported having private clouds in place, while more than 70% reported a need for new skills to secure cloud-based technologies properly.
  • Respondents reported inconsistent policies and protections for end users visiting social media sites, and slightly less than 30% have no social media security policies whatsoever.

Companies can reduce risk by investing in attracting entrants to the field and making investments in professional development, said Robert Ayoub, global program director for network security at Frost & Sullivan. Although information security professionals are being relied on for the security of organizations’ most mission-critical data and systems, they are being asked to do too much, he added.

A paradigm shift in global cybersecurity training and strategy is needed to address the skills gaps revealed by the study, experts said. They suggest a combined effort of industry, government, academia and the profession to attract and educate information security personnel and equip current professionals to address the latest threats.

Even if this combined effort results in an influx of cybersecurity professionals, will there be enough of them, and will they be in time to prevent the growing threat of cybercrime? There is no doubt that proper steps must be taken by individual organizations, as well as by the IT industry as a whole, to ensure proper cybersecurity training for cybercrime prevention.

So governance, risk and compliance managers take heed: Staff on the front line of cybersecurity need to be confident that they have adequate tools. The protection of your company’s sensitive information could depend on it.


February 18, 2011  2:25 PM

Potential card fraud victims say it’s the response that matters



Posted by: Ben Cole
card fraud protection, fraud victims, victims of cybercrime

SearchCompliance.com recently wrote about how victims of cybercrime are often consumers targeted via their personal-use technology, such as handheld devices. Now, another report is reinforcing that cybercrime is on the rise and highlighting the importance of customer service and response when online fraud occurs.

ACI Worldwide’s “2010 Global Card Fraud Survey,” which polled 4,200 consumers in 14 countries, shows that 29% of consumers across eight major economies have been victims of credit card fraud in the past five years. However, there’s good news in there for the breached establishments: 79% of these victims were satisfied with the response from their financial institutions.

To be sure, credit card fraud might push some customers to seek greener pastures. As a result of being a card fraud victim or knowing someone who was, 41% of survey respondents say they would change or consider changing their financial institution.

But 45% of respondents say their decision would depend on the quality of service they received in the wake of the incident. The main indicator for customer satisfaction is the speed at which money was refunded following fraud (34%), followed by the ability of financial institutions to identify the fraud before account holders (27%) become aware of it. For American consumers, their banks’ ability to identify the fraud before they do (40%) is more important than its success in actually getting the money back quickly (32%).

Even with the most innovative, cutting-edge cybercrime-prevention strategies in place, cunning criminals often find a workaround. Luckily for the financial institutions, it appears that consumers trust their banks to protect their assets and truly appreciate their banks’ swift responses when unfortunate circumstances strike: Of those surveyed, 81% have confidence in their financial institution to protect them from online card fraud, and only 19% of consumers feel that their banks could do more to protect them.

When fraud hits, timely notification on the part of the bank is probably the best way to placate customers: More than half of the survey’s respondents say they want their bank to contact them if they notice suspicious activity on their card.

Jasbir Anand, lead solutions consultant at ACI Worldwide, said in a statement that it is clear that financial institutions and processors are working to combat card fraud and protect potential fraud victims — and this is paying dividends in terms of customer satisfaction.

“However, fraud is constantly changing and, looking forward, the industry will need to increase focus on identifying identity theft and assisting victims to maintain this improvement in customer experience,” Anand said.

It seems that a quick, honest response when your system has been breached is the most appropriate way to keep your customers happy (or as happy as they can be when confronted with cybercrime). If customer communication isn’t your financial institution’s strong point, you could lose more than money: Your customers’ hard-earned trust could walk out the door with it.


February 14, 2011  8:48 PM

Security solutions can take the worry out of cloud compliance



Posted by: Fohlhorst
cloud compliance, compliance officers, security solutions

Many compliance officers look at the cloud with suspicion, concerned with just how much data they can move there and still maintain cloud compliance. The central issue here is exposing critical data to interception, as well as preventing the loss of data.

This poses a difficult challenge: data in motion, either on a local area network (LAN) or the Internet, needs the same rock-solid protection regardless of the transport mechanism being used. This, in itself, is difficult because the security solutions used with LANs are more robust and controllable than those available over the Internet. The security imbalance prevents compliance-bound data from traveling over the Internet and so prevents the use of low-cost cloud services.

The answer to this imbalance lies in applying effective security solutions to each element involved in the storage and transmission of data. This is relatively simple for compliance officers to accomplish on the local level, but much more difficult to accomplish in the cloud.

Simply put, if the level of protection for data is consistently enforced throughout its journey, then cloud compliance shouldn’t be a problem. The key element becomes the creation, application, enforcement and secure the cloud for compliance purposes, it is important for compliance officers to make sure a security solution offers scalability, automation and auditing, and has adequate speed to meet traffic needs. It is the cloud, ironically, that creates the security problems, but it takes a cloud service to solve them.

When looking to secure the cloud for compliance purposes, it is important for compliance officers to make sure a security solution offers scalability, automation and auditing, and has adequate speed to meet traffic needs. It is the cloud, ironically, that creates the security problems, but it takes a cloud service to solve them.

All is not lost. Security technology, working hand-in-hand with policy-driven enforcement, is starting to transform into cloud-based services. For example, Cloud Passage, a cloud services company, has ambitions to transform how security is accomplished across a broad, multi-connected enterprise using commonly accepted concepts.

CloudPassage’s approach to the problem is an interesting one compared to those of its competitors. It uses SaaS to secure public and private clouds, which allows its product to serve as a virtualized firewall, but also to enforce security policies to servers anchoring both private and public clouds. This hybrid approach will enable delivery of security solutions that meet cloud compliance needs, while still allowing businesses access to clouds.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


February 7, 2011  7:23 PM

SOX compliance possible for smaller companies with proper preparation



Posted by: Ben Cole
SOX assessment, SOX compliance

A few months ago, SearchCompliance.com wrote about the difficulties smaller firms sometimes have with SOX compliance. But Abiomed, a Massachusetts medical device manufacturer with approximately 350 employees, says there are reasonably priced GRC systems on the market to help a small company meet requirements — you just have to do your homework.

During a webcast last week, Abiomed CIO Sharon Kaiser suggested using a GRC tool for configuring compliance changes from request, development, testing and approval stages, and right through movement into production. Tools that capture audit reporting information and support your business processes with automated workflows can help too.

Kaiser suggested seven key points to remember when seeking SOX compliance:

  • Don’t tolerate energy-sapping manual processes.
  • Understand management’s need for GRC data.
  • Look for a solution that meets your needs and is manageable for your company.
  • Seek to “embed compliance” — automate capture of audit data at the time of execution.
  • Enable ad hoc, on-demand audit reporting.
  • Look for tools that will streamline routine IT operations.
  • Embrace GRC — view it as a tool for innovation.

Kaiser went so far as to say that SOX audits do not have to be quite so time consuming, and deployment for Abiomed was “quick and painless.” However, she added that it is necessary to be prepared and plan the transition, to understand what you are getting, and to determine what functionality you will use and how.

This is all good advice. In a previous article, contributor Adrian Bowles wrote that “it is still too difficult for small shops to deal with separation/segregation of duties, which require that different people have access to applications and data throughout the lifecycle to provide adequate controls against fraud.” Bowles added that in smaller companies, one person may have multiple roles at different times, making compliance “a thorny issue.”

But Abiomed shows that it is possible for a smaller company to achieve compliance by using proper planning and distribution of duties. After the company decided to re-evaluate how it wanted to define and manage SOX compliance, it hired an outside auditing company for an initial SOX assessment. The company then put together a project plan to conduct a business and financial risk assessment, identify key controls for each major risk area, and create a control matrix for only the key controls and develop the associated test plan.

Abiomed decided that business and IT needed to organize and manage to defined policies, new processes needed to be defined to handle things like personnel role changes and impact to authorizations, and training was important for people to understand their role in SOX compliance. Abiomed also identified challenges such as a limited IT staff that has to be knowledgeable of IT SOX controls, and the company reduced the time, expense, and distractions associated with manual audits.

Abiomed’s experience shows that SOX compliance for smaller companies does not have to be time-consuming or expensive — if companies do their homework and adequately prepare.


February 2, 2011  6:10 PM

Compliance solutions must be tied to IT management solutions



Posted by: Fohlhorst
compliance solutions, IT management solutions

If you look closely at the software specifically designed for compliance officers, it all shares the same set of functions: helps define policies, carries out auditing and reporting functions, and remediates. This clean, three-step process looks like a sensible way to deal with regulatory compliance.

But in the real world, things are never this straightforward. In fact, I’m beginning to think that IT-enforced compliance has to be approached in a whole new way. Instead of compliance solutions being bolted on top of IT management solutions, compliance software needs to become part of IT management’s DNA.

This approach would signal a paradigm shift in how compliance becomes interwoven with desktop management, security and IT policy enforcement. The problem is that so few solutions offer a foundation that integrates compliance with traditional day-to-day IT operations.

Even with this foundation available, it raises questions for harried compliance officers: Can IT management solutions deliver relief? Can policy generation tools enforce remediation? Do audits have to deliver only bad news?

Answers to these questions (and many others) could come from thinking about compliance as part of the infrastructure and resource management at the platform level. In other words, a unified approach that weaves the DNA of compliance with that of IT asset management, patch management, provisioning and auditing.

I can’t think of a solution today that offers all of this, as well as the ability to grow and keep pace with ever-changing enterprise-class infrastructures. But there may be hope. Recently I came across a startup, Puppet Labs, which is transforming itself from a services provider to a software company.

The company’s new product, called Puppet Enterprise, is an open source data center automation and configuration management framework. While not a compliance solution per se, it can serve as a policy-driven IT management platform which IT shops can use to incorporate compliance auditing and remediation at the provisioning level.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


January 25, 2011  6:51 PM

Cloud computing services can turn compliance pain into compliance gain



Posted by: Fohlhorst
CIO, Cloud computing, compliance

Bound by what they feel are overly strict compliance regulations, many companies are shying away from cloud computing services. On the surface, their reasons for this may appear to be sound. But when you drill down a little deeper, they may not prove so sound.

Organizations saying no to cloud computing services do so either based on misinformation or unverified assumptions. Put bluntly, these companies use compliance as an excuse to rationalize their fear of change. These irrational fears will likely come back to bite them, however, because surviving in today’s dog-eat-dog environment depends on embracing, not running from, new technologies.

The bigger issue here involves the word cloud. Once uttered, most compliance officers automatically associate the word with publicly available services routed across the Internet. But cloud does not need a concrete description to define it as an entity that can be accessed publicly. This is where many organizations are making a mistake. The fact is, cloud computing services can turn compliance pain to gain, although there are a few caveats.

First, going to the cloud doesn’t mean putting your databases into the ether. Cloud is just a catchall term for services that can be delivered other than through the traditional client/server model. For example, businesses can call something a private cloud that has no connectivity to the Internet, that can be used to create Web-based applications that replace their legacy apps and allows organizations to produce additional layers of auditable security.

Local, or private cloud-based applications can be designed to keep all data off PCs’ local hard drives. Taking this one step further, organizations can virtualize desktop systems and then deliver those systems to users on an internal network, still maintaining control over data flowing from the internal Web server to the user.

This trend bodes well for compliance officers because the user’s ability to toy with the data is severely limited. Companies such as Oracle, IBM and Microsoft are all beginning to tout the security advantages offered by private clouds for consolidating databases. preventing breaches and improving management of data.

The moral of this story is to not close the door on the cloud. Not until you have carried out due diligence by evaluating your current levels of security and thought through how a private cloud can actually give you better control of your data.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


January 14, 2011  5:42 PM

PCI DSS 2.0 changes ‘virtually’ improve IT compliance ROI and TCO



Posted by: Fohlhorst
PCI DSS 2.0, ROI, TCO

Most compliance officers know the change in calendar years brings with it operational changes driven by new legislation. And with the broad assortment of new rules and regulations kicking in this month, 2011 will be no different than any other year.

But it is not the expected regulatory changes by themselves that will have the biggest impact on how compliance strategies evolve this year. Rather, it will be the impact of their hidden changes that hit the hardest.

For example, take the Payment Card Industry Data Security Standard (PCI DSS) 2.0 standard, which brings with it several changes to how credit card transactions should be processed. Arguably, the most significant of these changes is the acknowledgement of virtualization.

With PCI 1.2.1, it was necessary to keep distinct functions physically separate to satisfy auditors. Simply put, each function needed to have its own dedicated processor, storage and memory, thereby creating a tangible separation of functions. PCI 2.0 changes all of that with the recognition of virtualization, because now that functional segregation can take place using virtual machines.

This may not seem like a big deal for many compliance officers. They may feel it is merely an acknowledgement of technology that has become entrenched in the data center. In practice, however, PCI 2.0 proves to be one of the biggest advances for those bound by version 1.2.1′s archaic rules.

With PCI 2.0, all of the money saving capabilities of virtualization can now be realized. Implementers can now reduce server footprints; require fewer physical machines; and can lower electrical and management costs.

The lesson this story teaches is you need to look closely at the true impact of compliance rule changes. These new technologies and accompanying rule changes can significantly improve ROI and lower the total cost of ownership (TCO) compared to many compliance regulations of the past.

And, as such, an expensive burden can actually become the pathway to savings.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


December 21, 2010  3:06 PM

Complex technologies complicate compliance officers’ role in 2011



Posted by: Fohlhorst
chief compliance officers, CIO, virtual desktop infrastructure

The task chief compliance officers face in routinely crafting multifaceted solutions involving complex technologies doesn’t figure to get simpler any time soon.

Complexity is usually the enemy of any working process. The more complex a technology or environment, the more likely the process will fail. Nowhere is this more evident than in the compliance arena, where the rules and regulations change as frequently as the technology it must work hand in glove with.

So the question compliance officers need to ask is: How do I deal with the complexities of IT change? As a number of complex technologies take deeper root over the course of 2011, it will be an important question to answer.

For instance, many companies are piloting virtual desktop infrastructure (VDI) projects, setting the stage for a future world where PC operations take place back in the data center and rendering desktop PCs to little more than dumb terminals. Because the promise of VDI is multifaceted, including the hope that it will solve many security and support problems, many are predicting that VDI will become prevalent in 2011.

But if you ask most VDI projects leaders how VDI affects compliance, you will get a blank stare. While there is plenty of finger pointing to go around in cases like this, it all comes down to simple communication. However, nothing is simple with compliance, even communications. The very nature of compliance leads to secrecy, and that secrecy is both the enemy and ally of IT projects.

Similar issues are bound to arise as virtualized applications, Software as a Service solutions and even cloud computing initiatives take hold in the enterprise, all of which will continue to be hot technologies well into 2011 and beyond.

Meeting the challenge of new IT implementations will take more than a little finesse on the part of the harried compliance officer, as he or she becomes enveloped in network security, technology planning, human resources and executive management.

Happily, many vendors have recognized the dilemma facing compliance officers and are launching services to help with compliance. EMC, for instance, has announced expanded consulting services to help organizations meet the Payment Card Industry Data Security Standard 2.0, which becomes effective Jan. 1. Other vendors are sure to follow with services and solutions aimed to accelerate compliance. It would be nice if these vendors decide not to wait until just a month before a new standard hits the streets to announce plans to help.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


December 13, 2010  4:05 PM

WikiLeaks shows how better compliance technology can protect data



Posted by: Fohlhorst
CIO, data protection, IT compliance, Wikileaks

The latest WikiLeaks debacle hopefully pounds home the point to corporate IT shops why implementing sound compliance technology can better protect data, and what the consequences can be if they do not.

Whether or not people take heed, compliance issues are certainly coming to the forefront in most analyses of the latest WikiLeaks flap. But in most of these analyses, it is unmistakable how ineffective technology was at enforcing compliance.

Consider this: There is an abundance of compliance requirements, including regulation for credit card holders (FCRA), for merchants (PCI DSS), for public entities (Sarbanes-Oxley), for privacy (HIPAA/HHS) and for children (COPPA), as well as regulations for insurance, securities trading, telecom and many more.

Most, if not all, of these requirements rely on technology to enforce compliance. WikiLeaks teaches us that it is the human factor and not technology that leads to the most damaging of breaches. All it takes is one disgruntled employee to destroy the security around intellectual property, private data or corporate secrets. But how can one build technology to prevent that?

There is no simple answer. Perhaps the only way to handle these situations is with the threat of severe penalties, and therein lays the secret to compliance technology. The enforcement of severe penalties requires incontrovertible evidence. In this particular case, technology that monitors activity and audit usage can become the key to plugging leaks.

If users are properly educated on the implications and penalties involved in disseminating unauthorized information, and are informed that access is tracked in numerous ways, perhaps technology can prevent the issues now plaguing the U.S. Defense and State Departments.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: