This week I gave a talk at the SOAWorld Conference in New York. The focus was a discussion of recent SOA disasters and the challenges in managing large scale SOA architectures with examples from Citigroup, United Airlines, Research in Motion and Salesforce.com. We looked at the pluses and minuses of tools like business activity monitors, web session monitors, dependency mapping, change control and IT Search.

The audience was a mix of 75 software developers and IT architects. A good discussion followed about correlating large-scale data, anonymizing data sources and different models for mapping access controls to SOA message data.

Earlier this year

As a continuation on the compliance topic, let’s review some of the major mandates you might come across in IT. Some of these mandates are more prescriptive, like PCI and others are more widely open to interpretation, like SOX.

• SOX is a securities regulation designed to ensure accurate financial reporting for public companies and companies preparing to go public.
• PCI is a credit card privacy regulation to ensure credit cardholder data is protected. Anyone accepting credit cards or processing credit card payments must be concerned with PCI.
• ITIL sets out specific IT process standards for IT services management best practices and frameworks. Organizations that adopt it, usually due to IT’s desire to improve overall processes and efficiency.
• HIPAA is a healthcare regulation designed to migrate to electronic patient records; ensuring the privacy of records through effective security controls. US healthcare providers and payers (insurers) need to pay attention to HIPAA.
• FFIEC is a banking regulation to ensure banks don’t fail because of fraud. IT security is a small subset of the regulation. US banks are mandated by FFIEC.
• DCID is a security regulation designed to ensure security of defense information systems. If you work for a US defense agency or contractor you probably have already heard of it.
• NISPOM is a security regulation protecting security of classified networks. US government agencies and contractors with classified data fall under these guidelines.
• FISMA is a security regulation designed to bolster computer and network security within the Federal Government agencies and government contractors.
• ISO 17799 is a general IT process set of standards addressing overall risk management and controls. Organizations that adopt it, usually due so at the recommendation of their auditors.
• CoBIT General IT process standards Overall risk management and controls Organizations that adopt it, usually do so due to auditors.
• COSO is a general security standard addressing the management of risk associated with security breaches. Organizations that adopt it, usually do so because of their auditors.

So those are some of the major mandates. How and what can you do to try and understand the potential impact on you, your job and your career? Well certainly there are lots of people who’ve written about compliance that know way more than I do. But I’ve been trying to boil it down to a few simple recipes.

For any mandate, you should be sure that you understand its motivation and origin. Once you understand its motivation, your best recipe for success is to make that motivation your own. Educate your organization on what the mandate is designed to do. Create a climate in your organization where the mandates goals are also your goals. When the auditors and courts see that you have adopted the spirit and not just the letter of the law, deficiencies are treated with lenience as anomalies. Some mandates, including HIPAA and FFIEC, are pretty specific about the requirement to conduct an individualized risk assessment for a given organization relative to the mandate’s objectives, and based on that risk assessment adopt a customized set of controls.

As we’ve seen with recent prosecutions of corporate malfeasance, it’s those individuals and organizations that take a cavalier attitude toward the law that are receiving the largest penalties.
Nearly every mandate you will face is motivated by one or more of these concerns. You can gain leverage in a compliance program by adopting a consistent set of practices for multiple mandates sharing common goals.

Once you understand each mandate, you can identify specific controls using log data, which usually will fit into one of the following categories:

• Monitoring IT data for security and operations issues.
• Reporting on other controls using IT data.
• Ad hoc search of log data for investigations & discovery requests.

1. Privacy Protection Recipe

Protecting customer, employee and consumer privacy is the motivator behind the security and privacy rules within the Health Information Portability and Accountability Act (HIPAA) that impacts all healthcare providers and payers, which includes companies who self-insure. The Gramm-Leach-Bliley Act, GLBA, has a similar concern but with consumer financial information. California’s SB-1386 is becoming a model for other states of a particularly aggressive form of privacy protection. And last but not least, the Payment Card Industry security standard (PCI), enforced by the credit card networks for any organization accepting payments by credit card, is an extremely specific program designed to protect consumer financial information.

2. Financial Reporting Recipe

Ensure fairness in financial markets is the motivation for Sarbanes-Oxley. The scope of concern relative to IT is the prevention and detection of financial reporting inaccuracies, fraud, and revenue-generating service interruptions. IT auditors are equally concerned with security and operations. Concerns range from an authorized user of a business system abusing their privilege in order to execute fraudulent transactions, to downtime of a revenue-generating system causing lost revenue. Data integrity and business continuity are of significant concern, while privacy and secrecy are not relevant.