Regulatory compliance management might not seem like a big deal to midmarket companies. Smaller companies have fewer employees and customers and smaller infrastructures, and, therefore, fewer items to track to comply with regulations. So on the surface, it might seem like simple spreadsheets or homegrown databases will do the trick for recording and reporting information required for compliance.
But midmarket CIOs: Don't let your guard down.
The possible number of regulations affecting a midmarket company is staggering. Midmarket companies might have to comply with multiple regulations simultaneously. And although there's a lot of overlap, it would be unwise to believe that by collecting for one regulation you will be collecting for all. When auditors and regulators come around, they're usually interested in reports on only their specific agency and its requirements.
Let's discuss the regulations with which most companies will have to comply. The big one, which affects most companies, is the Sarbanes-Oxley Act (SOX). Then there is the Health Insurance Portability and Accountability Act (HIPAA) for the health care industry and the Gramm-Leach-Bliley Act (GLBA) for financial firms.
On top of that is the Payment Card Industry Data Security Standard (PCI DSS), which is an industry standard but has the force of a government regulation because of the large size and market share of its players. PCI is a standard issued by the five largest credit card companies (Visa International, MasterCard International Inc., American Express Co., Discover Financial Services LLC and JCB Co.) for companies issuing or using credit cards, which today is most businesses.
All of the compliance regulations just mentioned, including PCI DSS, require a full accounting of who has access to which systems. Regular reports are expected to show who has access, their level of access and that users who have left the company no longer have active accounts.
Compliance covers activities as diverse as providing proof of a written information security policy, auditing access management and controls, and responding to and reporting incidents.
How does a midmarket company without a dedicated IT security or compliance department manage all of these requirements?
First, scope out the project. Which regulations are relevant to your company, and what are their unique requirements? Which requirements do you need the most help in reporting on? Determine which reports you need to generate, and for whom.
Then figure out which tools will work best for your needs and budget. There are tools and best practices that are reasonably priced and can be managed with minimal staff by midmarket companies.
Tools of the trade
There is no one tool that does it all. Tools range from full-featured suites with sophisticated dashboards to point products covering one specific area of compliance, such as encryption controls. But a good place to start is with the two biggest areas of compliance concern: access management and internal controls.
Starting at the top of the line, NetIQ Security Compliance Suite combines the forces of several of two of NetIQ Corp.'s other reporting tools -- Secure Configuration Manager and Security Manager. The product bills itself as able to provide reports meeting the requirements of several regulations, including SOX, GLBA and HIPAA.
The product has a Web-based dashboard that can be customized to display bar graphs and pie charts for comprehensive reports. Reports on access management cover segregation of duties and entitlements reporting. Specific lists of users and their access rights can be generated to check for conflicting duties and roles, like developer access to production systems, which is prohibited by most regulations. Accounts with inappropriate access can be disabled. Accounts with the ability to audit and configure systems can also be supervised, reviewed, controlled and, if necessary, disabled.
Besides access control reports, the product from Houston-based NetIQ can also consolidate and analyze log data to investigate system access and activity. This same information can be used for incident response to determine who accessed the system at a give time, where and when they accessed it, and what they did.
A similar product for smaller companies is Certus Compliance, which comes with a series of prepackaged reports and templates for reviewing controls and assigning and testing risk levels. Though designed for financial and other internal controls, the product from Chicago-based Certus Software Inc. also covers IT security controls. It supports, for example, the COBIT framework for IT controls.
The next product down the line has the clever name of Knock Your SOX Off. It's from Macy & Associates, a Scottsdale, Ariz.-based company geared entirely to the middle market and smaller companies. The product costs just less than $5,000 -- much cheaper than higher-end tools -- and is wrapped around SOX reporting. But its small size and ease of use make it adaptable for other compliance reports, like those for access management, which are similar.
Knock Your SOX Off is basically a Microsoft Access application that lists, classifies and assigns risk levels to internal controls. Controls can then be tested and evaluated and the results stored in the Access application for later retrieval and reporting. The interface is bare bones and easy to use. And because it's based on Microsoft technologies, Word documents and Excel spreadsheets can be migrated into the database. The old documents and spreadsheets that might have been used before can be replaced with a single compliance reporting and archiving tool.
Another possibility is to rely on compliance reporting products that you may already have in your ERP software. An example is mySAP ERP Financials, which is also available for smaller companies. Again, though heavily oriented toward accounting controls, IT security controls are included in the mix.
With this range of products, midmarket companies have a number of options for organizing and centralizing their compliance programs. But it's important to keep in mind that compliance is only one part of a company's IT security program. It doesn't replace a comprehensive information security program for your organization.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.