Demystifying Compliance
| Topics: | Compliance, Splunk |
|---|---|
| Tags: | |
| Share: |
Today I gave a talk at the Interop Data Center Summit happening during the Interop conference this week in Las Vegas. The talk was titled Demystifying Compliance. The goal was to dissect what compliance regulations and mandates mean for the future of IT. It was well attended with roughly 375 people. Thanks to the Andreas and Johna from Nemertes Research for inviting me to speak.
Interop was kind of a strange but interesting place to be talking about compliance. It’s traditionally a very networking focused conference. Interop has it’s roots in proving interoperability of various vendor’s technologies. Three days before the start of the show more than 40 vendors build a network from scratch. It’s sort of a living laboratory of networking technologies — wireless, wired, security, management etc.
But Interop has been growing up. The conference went through a “survival time” with the boom and bust of the networking market over the past few years. Now it’s leaner and meaner but healthy enough to start exploring things “up the stack” including security and yes, compliance.
Turns out not many people that attend Interop know much about compliance. I wasn’t even sure if they’d be interested : ) So I started out by try to identify the top myths we get bombarded with about compliance and explore what the heck compliance really is and why IT people, in particular networking folks should care.
Myth #1: Compliance equals regulations with specific actions.
False. The reality is most regulations have fuzzy or no detail about IT implementation. The dirty little secret of compliance is auditors are getting rich off each new mandate. Since most mandates are not prescriptive at all, they require complex interpretation for every business. Auditors can also be finicky too. What worked this year or this quarter won’t necessarily work next year or next quarter.
Myth #2: Compliance is an IT security issue.
False. Most mandates are just as concerned with integrity and availability of IT systems. Security it turns out is only a part of what compliance mandate interpretation means for IT. In fact mandates like SOX often have a much larger burden on IT because of the increased dependency on things like effective root cause analysis.
Myth #3: I have to store my original IT data for seven years.
False. Very few mandates specify data retention times. It use to be considered plausible to delete all your data after some period of time. Frank Quattrone and CSFB proved that theory wrong when the former investment banker was confronted with evidence of allegedly-incriminating emails in a widely publicized series of trials. The banks policy was that all emails were deleted after 30 days and thus they could not produce materials for trial. Unfortunately, those pesky emails always have a way of showing up cached on another server or laptop somewhere. But the question remains, how long should I keep my data? Since mandates don’t spell out specific retention times and you can’t keep everything forever, what do you do?
Myth #4: A canned set of reports will make me compliant.
False. See Myth #1. The regulations almost never list a specific report.
Myth #5: I need to buy a commercial solution to be compliant.
False: Vendors don’t have any special insight into what will make you compliant. In fact the reports that vendors supply are typically developed by some junior product manager, sitting in a cubicle, trying to interpret what a mandate might mean for your industry and company. Needless to say, the auditors (internal and external) won’t buy off on that. How could they? They wouldn’t get paid!
What is compliance?
So if these are the myths, what is compliance? The interpretation of any set of compliance mandates really involves adhering to all standards, policies and regulations applying to a given organization in a given industry. Compliance is really an overlay to IT security, IT operations, HR, finance
or any other business function. It is not a separate function in an of itself.
Compliance is usually driven by external laws and regulations (SOX) and internal policies (ITIL). Every business process in a mature organization has some compliance dimension.
Compliance is on the IT agenda largely because of a wave of accounting scandals exposing a lack of internal controls — Enron, Tyco and Andersen started a tidal wave of backlash for more checks and balances. More recently the perceived threat of electronic sabotage to critical infrastructures has lots of IT people thinking about compliance. A piece in the Washington Post pointed out for example the number of times a day hackers slip past security measures and break into the national energy grid. Scary stuff.
But there have also been a number of well-publicized incidents involving the theft of information and identities. 45.7M credit and debit card numbers stolen from TJX. 145,000 consumers’ personal data purchased by 50 fraudulent companies from Choicepoint. AT&T’s online store web site hacked and credit card information for up to 19,000 customers stolen.
Of course the continued expansion of IT into every aspect of corporate, public and private life means our exposure to being ripped off and the number of compliance attempts to control the situation will only get worse.
Why do companies care about compliance?
Because newer legislation and regulations with real teeth are now being put into law, companies are starting to really care about compliance. The Payment Card Initiative (PCI) includes the possibility of up to $500k per incident and possible termination as a merchant meaning you can no longer take VISA or Mastercard. CA SB 1386: forces disclosure to each individual consumer of possible security breaches and identify theft including the notification by mail to every consumer impacted. And of course the lawyers are not asleep. Negligence lawsuits are now starting to set a higher standard for “duty of care.” Number US banks are suing TJX over the costs they’ve incurred and the courts appear to be very eager to hear the arguments.
