As a continuation on the compliance topic, let’s review some of the major mandates you might come across in IT. Some of these mandates are more prescriptive, like PCI and others are more widely open to interpretation, like SOX.

• SOX is a securities regulation designed to ensure accurate financial reporting for public companies and companies preparing to go public.
• PCI is a credit card privacy regulation to ensure credit cardholder data is protected. Anyone accepting credit cards or processing credit card payments must be concerned with PCI.
• ITIL sets out specific IT process standards for IT services management best practices and frameworks. Organizations that adopt it, usually due to IT’s desire to improve overall processes and efficiency.
• HIPAA is a healthcare regulation designed to migrate to electronic patient records; ensuring the privacy of records through effective security controls. US healthcare providers and payers (insurers) need to pay attention to HIPAA.
• FFIEC is a banking regulation to ensure banks don’t fail because of fraud. IT security is a small subset of the regulation. US banks are mandated by FFIEC.
• DCID is a security regulation designed to ensure security of defense information systems. If you work for a US defense agency or contractor you probably have already heard of it.
• NISPOM is a security regulation protecting security of classified networks. US government agencies and contractors with classified data fall under these guidelines.
• FISMA is a security regulation designed to bolster computer and network security within the Federal Government agencies and government contractors.
• ISO 17799 is a general IT process set of standards addressing overall risk management and controls. Organizations that adopt it, usually due so at the recommendation of their auditors.
• CoBIT General IT process standards Overall risk management and controls Organizations that adopt it, usually do so due to auditors.
• COSO is a general security standard addressing the management of risk associated with security breaches. Organizations that adopt it, usually do so because of their auditors.

So those are some of the major mandates. How and what can you do to try and understand the potential impact on you, your job and your career? Well certainly there are lots of people who’ve written about compliance that know way more than I do. But I’ve been trying to boil it down to a few simple recipes.

For any mandate, you should be sure that you understand its motivation and origin. Once you understand its motivation, your best recipe for success is to make that motivation your own. Educate your organization on what the mandate is designed to do. Create a climate in your organization where the mandates goals are also your goals. When the auditors and courts see that you have adopted the spirit and not just the letter of the law, deficiencies are treated with lenience as anomalies. Some mandates, including HIPAA and FFIEC, are pretty specific about the requirement to conduct an individualized risk assessment for a given organization relative to the mandate’s objectives, and based on that risk assessment adopt a customized set of controls.

As we’ve seen with recent prosecutions of corporate malfeasance, it’s those individuals and organizations that take a cavalier attitude toward the law that are receiving the largest penalties.
Nearly every mandate you will face is motivated by one or more of these concerns. You can gain leverage in a compliance program by adopting a consistent set of practices for multiple mandates sharing common goals.

Once you understand each mandate, you can identify specific controls using log data, which usually will fit into one of the following categories:

• Monitoring IT data for security and operations issues.
• Reporting on other controls using IT data.
• Ad hoc search of log data for investigations & discovery requests.

1. Privacy Protection Recipe

Protecting customer, employee and consumer privacy is the motivator behind the security and privacy rules within the Health Information Portability and Accountability Act (HIPAA) that impacts all healthcare providers and payers, which includes companies who self-insure. The Gramm-Leach-Bliley Act, GLBA, has a similar concern but with consumer financial information. California’s SB-1386 is becoming a model for other states of a particularly aggressive form of privacy protection. And last but not least, the Payment Card Industry security standard (PCI), enforced by the credit card networks for any organization accepting payments by credit card, is an extremely specific program designed to protect consumer financial information.

2. Financial Reporting Recipe

Ensure fairness in financial markets is the motivation for Sarbanes-Oxley. The scope of concern relative to IT is the prevention and detection of financial reporting inaccuracies, fraud, and revenue-generating service interruptions. IT auditors are equally concerned with security and operations. Concerns range from an authorized user of a business system abusing their privilege in order to execute fraudulent transactions, to downtime of a revenue-generating system causing lost revenue. Data integrity and business continuity are of significant concern, while privacy and secrecy are not relevant.

The scope of systems affected will vary widely depending on the nature of a particular business. For an organization with work that doesn’t have any sort of transactional component, such as an advertising agency, the scope of IT infrastructure may be very narrowly defined as a handful of servers hosting the core G/L, A/R and payroll financial systems. For an e-commerce site, the entire production application infrastructure, with the minor exception of a few image servers, might be part of the audit scope.

3. Infrastructure Protection Recipe

Controlling risk in regulated critical industries is the motivator behind the Federal Financial Institutions Examination Council (FFIEC) guidelines used by all five U.S. banking regulators (FDIC, OTS, FRB, OCC and NCUA) for their audits of banks, savings and loans, and other retail banking institutions. These guidelines are meant to ensure that banks don’t fail. Part of FFIEC is about business compliance, such as rules about reserve to deposit ratios. And part is about IT – to control the risk that sloppy security enables intruders to steal enough from the bank to threaten its viability, and also the risk that poor systems development and management practices leave the bank open to systems failures that could disrupt business operations.

Similarly, the North American Electric Reliability Council (NERC) IT guidelines are intended to control the risk that IT failures and security breaches could cause portions of the power grid to fail.

For this type of mandate, the primary concern is business continuity. The relevant IT controls will include both systems and security management practices. The systems management practices will be concerned with availability; and the security management practices will be concerned with sabotage. An undetected logic flaw in an application will be as much of a problem as a hacker determined to take your bank or power station down. Privacy issues matter to the extent that violation of other mandates regarding privacy would expose the organization to liability that might threaten its viability.

4. Classified Information Protection Recipe

Protecting government classified information is the motivation behind NISPOM (National Industrial Security Program Operating Manual), which applies to classified information protection by government agencies and contractors; DCID 6/3 (Director of Central Intelligence Directive 6/3), which applies to intelligence data handled by government agencies and contractors, and FISMA (Federal Information Security Management Act) which is a mandated security program for federal agencies.

Mandates motivated by protection of government information have similar characteristics to those concerned with consumer privacy – data leakage and secrecy are the primary concerns.

5. Employee Actions Protection Recipe

If your employees offend others in the workplace by what they see, abuse business systems to commit criminal acts, or otherwise misbehave, your organization might be considered liable unless you can show that you are taking reasonable measures to protect against such abuse.

6. Law Enforcement Discovery Recipe

Servicing discovery requests by law enforcement agencies can be a significant burden. Consumer service providers such as telecoms, ISPs, email providers and online community/gaming sites are subject to frequent e-discovery requests by law enforcement looking to discover the identity of users or understand their Internet usage. Firms employing traders or brokers subject to stringent codes of conduct receive e-discovery requests for regulator investigations of violations such as insider trading. In these cases, the primary log compliance concern is being able to quickly search for log events for particular users and showing the integrity of the audit trail.

Ad hoc Search Easy search by userids, email addresses, IP addresses, etc., often by non-technical compliance personnel.

We all face a lot of new challenges meeting the requirements for compliance regulations and mandates. IT infrastructures are far more scrutinized for compliance than ever before. They’re also far more complicated. Delivering a single service or application can require hundreds or thousands of components.

Don’t be surprised if you find yourself dealing with

• Securely collecting, transporting and managing large amounts of IT data.

• Ensuring better IT data quality to identify the who, what, when, where, why for every piece of data.
• Robust data correlation.
• Secure, efficient IT data retention.
• Providing for alerting, reporting and ad hoc access to all IT data across heterogeneous formats and sources.
• Ensuring integrity and chain of evidence and a complete audit trail of data collection, management and access.