IT compliance

Information security and compliance resources from around TechTarget

The laws and regulations that CIOs and CISOs must understand and reflect in their operations are by nature applicable to many different areas of information technology. As a recent study on the privacy profession showed, privacy policy success lies in collaboration with IT. Finding good compliance resources to keep abreast of news and technologies is crucial.

The diversity of stakeholders involved in IT compliance is reflected in the many compliance resources that are published each month across the TechTarget network of IT media. For instance, this month’s Storage Decisions Conference explored how storage managers must explain retention, email archiving and compliance.

At SearchOracle.com, there’s news about how Oracle updated Agile PLM for food and beverage compliance, allowing manufacturers to better analyze ingredients for safety.

At SearchFinancialSecurity.com, a new story explores full disk encryption, which is fast becoming a priority for laptop security in midmarket companies given increasing fears of data breaches. The article explains how to choose full disk encryption for laptop security, compliance.

Earlier this year, SearchNetworking.com ran “New PCI compliance rules ban WEP, tighten wireless LAN security.”

PCI DSS compliance

Since security and compliance are bound closely together, it should come as no surprise that SearchSecurity.com features new compliance resources regularly. That’s particularly true when it comes to PCI compliance.

Last week, site editor Rob Westervelt wrote “PCI virtualization SIG closer to proposing changes to standard.” Westervelt writes that the PCI Virtualization Special Interest Group, which has been studying virtualization for the payment card industry (PCI), is close to issuing guidance ways to maintain PCI DSS compliance when using virtualization.

For more on PCI, editorial director’s Kelley Damore feature about what PCI compliance really means in September’s issue of Information Security magazine has a plethora of useful links.

Elsewhere on SearchSecurity.com, Eric Holmquist offered guidance on strategies for using technology to enable automated compliance.

Given that schools are back in session, IT admins entrusted with securing the records of students may find security expert David Mortman’s explanation for how to prepare for a FERPA audit useful.

Mortman also provides useful advice on a PCI DSS requirement for monitoring and testing security, PCI DSS compliance: ensuring data integrity and understanding PCI DSS compliance requirements for log management.

And “across the pond,” SearchSecurity.uk.co wrote about new products that aim to streamline compliance efforts.

Healthcare compliance

SearchSecurity.com also publishes compliance resources that serve the fast-moving healthcare field, including stories like “FTC extends breach notification to Web-based health repositories” and “HIPAA compliance manual: Training, audit and requirement checklist.”

Again, Mortman provides expert advice on this areas, including guidelines to create a HIPAA-compliant data center, HHS HIPAA guidance on encryption requirements and data destruction and information on writing a patient identifier policy to prevent common HIPAA violations.

We’ve been covering healthcare at SearchCompliance.com as well, along with our sister site, SearchCIO.com, where senior writer Linda Tucci recently wrote that health care security and HIPAA compliance are on deck for CIOs.

We published “HITECH changes the game, but HIT standards still on way” this morning, in fact, following on our FAQ on the HITECH Act’s impact on IT operations and a tip about when is a data breach under HITECH is really ‘discovered.’

Here’s hoping you find these compliance resources useful in your own efforts. If you have other websites you regularly visit to find compliance resources to help you meet regulatory mandates, please let us know in the comments.

Evaluating the cybersecurity plan and the role of a federal CISO

In this episode of the IT Compliance Advisor, Associate Editor Alexander B. Howard interviews Patricia Titus about the Obama Administration’s cybersecurity plan, the creation of a federal CISO and where policy might move in the coming months. Titus was formerly chief information security officer at the Transportation Security Administration within the U.S. Department of Homeland Security.

 

 Patricia Titus on cybersecurity: Play Now | Play in Popup | Download

When you listen to the podcast, you’ll hear Titus’ views on:

• What’s new in the cybersecurity plan?
• Why is it taking a while to name a cybersecurity coordinator?
• Where is the U.S. CISO?
• What would be the top challenges of a U.S. CISO, should one be appointed?
• What are the elemental needs for implementing cybersecurity across government agencies?
• How do the Rockefeller-Snowe Bill (S.773) and ICE Act fit into cybersecurity strategy?
• What would ramping up the nation’s offensive capabilities in cyberwar mean?
• What do compliance officers and CISOs need to think about this fall?

Note: Our colleague Mike Mimoso also interviewed Titus about the Obama cybersecurity plan in June for Security Wire Weekly, when the strategy was first released. The episode also features security luminary Howard Schmidt and Paul Kocher, chief scientist of Cryptography Research.

Clarifying mobile encryption requirements for 201 CMR 17.00 compliance

When I reported on amendments to the Massachusetts data protection law earlier this week, one of the comments that undersecretary of consumer affairs Barbara Anthony made was a point of interest to many enterprise IT professionals who must determine what 201 CMR 17.00 compliance will mean.

Specifically, Anthony stated that, “We know right now that there’s no widespread technology for encrypting mobile devices, but we know it’s there for laptops.”

Given that the regulation’s language includes a requirement for encryption where “technically feasible,” the issue demanded clarification. I contacted Secretariat CIO Gerry Young, who was involved in drafting the original regulation. He offered the following guidance on mobile encryption:

“This just belies unfamiliarity with the current state of encryption. Even a cursory scan will show that technologies like Snapcell, Navastream, AlertBoot, SecurStar PhoneCrypt, Endoacustica and Babylon nG have carried cell phone encryption to fairly sophisticated stages.

“Encryption for cellular phones has evolved beyond even enterprise-class smartphones, and you are beginning to see robust offerings for 3G phones available at attractive price points.

“European companies like Navastream (Germany) are making inroads in U.S. markets to fill a clear void. This will help to drive competition, and push price points lower for the consumer.

“I would think that once there are free, open source encryption alternatives — along with a plethora of low-cost encryption vendors in the cellular market — that we would be ready to mandate cell phone encryption in the near future.”

In other words, encrypting mobile devices and smartphones remains a best practice, particularly where resident PII is present, but is not mandated for 201 CMR 17.00 compliance — yet.

Amended Massachusetts data protection act focuses on risk management

As Alexander Howard reported earlier today, the Massachusetts data protection law has been amended. The revised data privacy regulations — 201 CMR 17.00, “Standards for the Protection of Personal Information of Residents of the Commonwealth” — include several key updates. If you are an information security professional, take note of these changes, as they will likely have practical implications.

The most immediate impact is the provision for an additional 60 days to comply with the regulations. The deadline for implementation is now March 1, 2010.

Individuals and municipalities have expressly been removed from guideline jurisdiction, with a clarification that the “regulation applies to those engaged in commerce.” Guidelines on the requirement for a written information security plan are now simplified.

A new definition for the term service provider was added. The Office of Consumer Affairs and Business Regulation also amended third-party vendor rules. There is now a two-year grace period, relative to existing contracts, and requirements for those third parties to be in compliance.

Encryption requirements have been clarified. The apparently strict but, practically speaking, vague 128-bit specification from the prior version was replaced by “technology-neutral language.”

Further, a “technical feasibility” standard has been incorporated, acknowledging that methods to securely encrypt data on portable devices may not yet be available. Email encryption now falls under the technical feasibility standard. Additionally, encryption of backup tapes has been clarified to include prospective encryption. So you may safely cancel your firm’s plans to encrypt existing backup tapes. Encrypting new backup tapes will still be required, along with any personal data that travels over the public Internet or wireless network.

In another change that I believe will ultimately enhance consumer protection, 201 CMR 17.00 has been brought in line with certain federal regulations. Specifically, the Massachusetts data protection act now cedes authority to the Federal Trade Commission’s (FTC) standards established under the Gramm-Leach Bliley Act (GLBA). GLBA utilizes a risk management approach to data security.

The patchwork of 44 different state health data protection laws has delayed electronic automation of, and therefore overall security for, health records. Adopting a federal standard, starting with the FTC’s risk-based approach to data protection, avoids this pitfall and may make widespread compliance both more feasible and more likely in the near future.

On one hand, a risk management approach should be familiar to IT professionals. It shifts resources from “check-the-box” controls that may or may not address a particular organization’s specific risks to controls that make more sense in context. On the other hand, given the concrete definition of the personal information in scope, it is difficult to see where risk management would not be present whenever such personal data is stored.

“Mandating every component of a program and requiring its adoption, regardless of size and the nature of the business and the amount of information that requires security, makes little sense in terms of consumer protection,” said Bradley MacDougall, of Associated Industries of Massachusetts. Risk management and assessment will afford more consumer protection by matching a given business’ actual risks with required security investments.

Windows compliance: Resources on data retention and data protection

As any CIO or compliance officer knows, compliance affects multiple parts of IT infrastructure and the organization as a whole. Strategy, security, storage, networking, records keeping and human resources are all part of the mix. As an editor at SearchCompliance.com, that means I scan the RSS feeds of all of TechTarget’s sites for relevant content, along with those of other compliance news sites from around the Web. Starting today, I’ll be posting a roundup of the resources I think you’ll find useful at this blog.

Recent research into the buying habits of you, our readers, showed that half of our midmarket CIOs are running Windows shops. That information comes as no shock to anyone. Most of the world lives on a Windows desktop, despite the recent inroads made by Mac OS X and Linux. There’s no question that heterogeneous computing environments are a concern for many a sysadmin. That said, Windows compliance is the crucial topic of the day.

So here’s a question for you: Are there unique issues that arise out of Windows compliance?

I’m certain that the answer is “yes” but I’d like to hear more about what system administrators, CCOs and CIOs are experiencing in their everyday working lives. Let me know what you think in the comments or at ahoward@techtarget.com.

In the meantime, here’s that roundup:

If you’re looking for a comprehensive resource, try The Windows Manager’s Guide to IT Compliance e-book. Chapter 1, for instance, offers best practices on establishing an event log audit trail, maintaining the event log, encrypting email or files and keeping an inventory of stored data. You can also download each of the three chapters separately:

• Keeping up with IT compliance
• Managing email server compliance
• Controlling access for file server compliance

Rebecca Herold has been a prolific contributor on the topic of Windows compliance as well. She’s an adjunct professor for the Norwich University Master of Science in Information Assurance program and is well into writing her 11th book. Her articles can be found at PrivacyGuidance.com, Realtime-ITcompliance.com and, of course, at SearchWinIT.com. (You’ll note she’s in our blogroll, down to the right.)

Earlier this month, Herold explained how to keep Windows shops in compliance with data protection laws. Protecting personally identifiable information is a key aspect of compliance in 2009, given new regulations coming down the (Mass) pike. Even if the Massachusetts data protection and encryption law deadline has been extended, it needs to be on your radar.

In past articles, Herold has also explored how to meet data retention compliance in a Windows environment. In her view, Windows managers must take an active role in learning data retention policies and creating procedures to support them.

Similarly, in her tip on meeting compliance requirements in a SharePoint Server environment, Rebecca suggests that before deploying SharePoint Server, IT managers should examine the compliance implications of using the collaboration tool in their Windows environment .

Herold also has written about how the service desk can help Windows shops meet SOX compliance objectives by using IT governance frameworks like COBIT and Microsoft Operations Framework.

Finally, if you’re still procrastinating on completing your IT compliance documentation, do it now.

The importance of risk management in IT compliance

This is a guest post by Cass Brewer, the founder of Truth to Power Association.

John Rostern recently blogged here about the dangers of checkbox compliance, noting that regulatory compliance doesn’t always bring information security.

I’ll take that argument a step further: Especially in terms of PCI DSS, most companies might get better ROI and comparable outcomes if they simply lied on their PCI DSS self assessments and returned to sprinkling salt around their servers, or whatever (apparently) prevented system breaches before PCI DSS came along. As John so aptly notes, siloed, point-in-time compliance is generally inadequate — in terms of both control and cost.

Unfortunately, external mandates tend to pervert otherwise healthy plan-do-check-act operational strategies. In the rush to comply with regulatory panaceas for perceived pervasive risks, managers too often deprecate their own informed risk judgments.

This is a backward response. Enterprise risk management should be both an input and output of any compliance program. As an input, it lets managers “just say no” to immaterial audit recommendations, defines implementation priorities and ensures that relevant controls aren’t displaced by compliance checkboxes.

Management can operationally parse broad compliance requirements by aligning control responses with actual material and significant risks. Or it can limit the in-scope environment of specific controls to particularly critical or sensitive information: cardholder data, customer PII, systems logs, etc. Either way, the bulk of risk management should occur on the front (planning) end of compliance. The risk management output of compliance programs is generally limited to risk mitigation.

Defining and measuring risks up front is also a cost-containment strategy. Under the Sarbanes-Oxley Act and other rules, organizations can exclude irrelevant “compliance” activities aimed at immaterial and insignificant threats. Of course, concrete documentation (and lots of it) is the key to defending such exclusions against auditor challenges.

Risks characteristics including existence, criticality, likelihood and period can further hone appropriate control responses. If a particular risk arises only once a year and potentially impacts just one disconnected system, a siloed, periodic response might be adequate. Of course, most risks are more constant and/or pervasive. Control efforts should respond to those characteristics, hitting compliance goals incidentally.

A risk management approach to compliance has opportunity benefits, too. It’s difficult to measure risk value (or risk abatement value) without understanding business-process value. In many cases, key risk indicators (KRIs) are complements to key performance indicators (KPIs). Defining one provides a base line for defining the other; and that base line is, in turn, a costing base line that supports more broadly strategic business decisions.

How does this work? Learn how to factor risk management into compliance assessments at SearchCompliance.com.

Cass Brewer is the founder of Truth to Power, a free and open research community for better information governance. At T2P and in her previous role as director of the IT Compliance Institute (ITCi), Cass has worked with thousands of compliance, audit, business, and IT leaders to develop practical guidance for corporate compliance and risk management. She can be reached at cbrewer@t2pa.com.

Podcast: Expert tackles e-health and compliance in healthcare IT

What is the state of IT healthcare compliance in 2009? Dr. William Yasnoff has some thoughts.

 

 Dr. William Yasnoff on e-health and compliance in healthcare IT infrastructure.: Play Now | Play in Popup | Download

His reply to ” Healthcare compliance gets boost from national HHS privacy framework,” a recent tip from one of SearchCompliance.com’s sister sites, demonstrated his deep understanding of the complex relationships among regulations, medicine and IT. A quick visit to his blog at WilliamYasnoff.com will confirm that he’s thought long and hard about the role of IT infrastructure in assuring patient privacy and health. SearchCompliance.com’s Alexander B. Howard found Dr. Yasnoff at his office last week and recorded a podcast.

Download Dr. William Yasnoff on e-health and compliance in healthcare IT infrastructure.

When you listen, you’ll learn the answers to the following questions about e-health, including what changes might be expected under the new Obama administration:

• The United States Department of Health and Human Services (HHS) has a released a new privacy framework that provides guidance to organizations that handle personal health information. Does the Health Insurance Portability and Accountability Act (HIPAA) apply?  What are the privacy and data protection issues created by the movement to e-health records?
• How does this directive affect IT compliance officers or system administrators at companies that handle e-health records? How could — and how should — a compliance officer change IT infrastructure and best practices to address the so-called HIPAA “audit hole?”
• The incoming Obama administration made the digitization of health records a focus of its presidential campaign. How may the atmosphere around healthcare compliance change? What additional regulatory requirements may be introduced that compliance officers should consider?
• What is Dossia? What role might this new entity, funded by corporations, play in e-health? How could Dossia affect e-health compliance? What is a health records bank? How many physicians currently use e-health records?
• What is the Electronic Communications Privacy Act (ECPA)? What must a CIO, CTO, CCO or IT administrator do to remain in compliance with the ECPA?
• What are some best practices for setting up IT infrastructure for healthcare institutions so that the systems are compliant? How will consent management factor into compliance in 2009?
• How might emerging enterprise 2.0 technologies be adapted and applied by the incoming U.S. CTO, particularly with regards to e-health records?

Dr. William Yasnoff

William A. Yasnoff is founder and managing partner of National Health Information Infrastructure (NHII) Advisors, a consulting firm that helps communities and organizations successfully develop health information infrastructure systems and solutions. Previously, as senior advisor, NHII, Department of Health and Human Services, he initiated and organized the activities leading to the president’s creation of the Office of the National Coordinator for Health Information Technology, establishing the NHII as a widely recognized goal for the nation. As vice president of research for Cell Analysis Systems Inc., he developed the first PC-based commercial system for quantifying DNA content of cells on slides in 1986. He later served as medical director of AMA/Net, the American Medical Association’s first online electronic information system for physicians. He subsequently restarted the network as U.S. HealthLink in Oregon. Dr. Yasnoff is an associate editor of the Journal of Biomedical Informatics, adjunct professor of Health Sciences Informatics at The Johns Hopkins University, a board member of the nonprofit Public Health Foundation Enterprises Inc., and the author of more than 250 publications and presentations, including co-editor of the textbook ‘Public Health Informatics and Information Systems.’ He earned his Ph.D. in computer science and M.D. from Northwestern University, and was elected a fellow of the American College of Medical Informatics in 1989.

Subscribe | Contact Us | What is RSS? | What is podcasting?