Streamlining the Compliance Process with Automated Monitoring
June 5, 2015 No CommentsFeatured article by Dan Maloney, VP of Marketing and Business Development, accelops
So far this year, three large health insurers have disclosed data breaches that affected millions of customers. Social Security numbers, addresses, birthdays, even information about medical conditions, have been stolen for sale to the highest black market bidder. And while the cyber criminals are making money hand over fist, breached companies are losing it.
Here is perhaps the scariest part: all these companies were considered “compliant” with at least one of the common security frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI-DSS).
The real problem is that those tasked with compliance tend to focus on getting a piece of paper stamped by a regulatory body. That should not be the end goal of compliance. Instead, companies should be working diligently to identify and mitigate risks, which are a serious threat to the confidentiality, integrity or availability of our systems and data.
The financial fallout from health insurance breaches has not been finalized yet, but judging from last year’s hefty sums, they are looking at tens to hundreds of millions of dollars in settlements. Smaller organizations with less data to steal will pay less, but the point is that it’s an unnecessary expense that could be avoided if organizations invested in proper risk management on the front end.
What, then, is proper risk management? It is a continuous process that doesn’t simply follow a checklist provided by an outside group. It takes into account the unique nature of each organization. While compliance programs such HIPAA, PCI, FISMA and others are a great starting point, they can’t identify all areas of risk in an organization. Each organization must do that for itself.
A compliance checklist and an official seal of approval will only go so far; risk management will always provide far greater security. If you don’t have a risk management program, start small and use the free resources such as NIST Special Publication 800-30 Guide for Conducting Risk Assessments or Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View available at http://csrc.nist.gov.
It Pays to Be Compliant
The cost of non-compliance (penalties and fines) is much greater than the actual cost of being compliant, according to The True Cost of Compliancestudy byThe Ponemon Institute. When Ponemon researchers adjusted the total cost of compliance by organizational headcount, they found that compliance costs $222 per employee, while the cost for non-compliance came to $820 per employee.
In addition, the Ponemon Institute study revealed that the frequency of internal compliance audits was inversely correlated to per capita non-compliance costs. That is to say, the more internal audits you perform successfully, the lower your chances of failing a real compliance audit.
The financial and legal costs of non-compliance are only part of the story. You also need to factor in the disruption to normal business processes, which reduces productivity and creates tremendous stress on the individuals involved (a cost that can’t be calculated).
Internal Audits Made Painless
Compliance, then, is unavoidable – though IT professionals would like to avoid the auditing that accompanies it. Auditing seems like a terrible drudgery, taking hundreds of staff hours and creating innumerable headaches. Let’s face it: IT is becoming a regulated industry. Compliance mandates like PCI DSS affect any company processing credit cards. SOX requirements are essentially a tax for public companies and growing startups and healthcare providers dread HIPAA audits, while financial services companies live or die by their ability to implement GLBA controls. Honoring compliance obligations without monitoring automation is a recipe for costly penalties.
What can deliver efficient processes and stress relief to compliance auditing? Automated monitoring is the answer. There are solutions today that provide the benefit of a single-pane-of-glass view of corporate network infrastructure. Some products go even further, providing pre-configured rules and reports, many of which are designed specifically to make preparing for compliance audits as easy as the click of the mouse. Rather than commandeering IT resources two weeks before audit reports are due, IT managers should consider solutions that generate compliance reports automatically for the following: PCI DSS, SOX, NERC, GLBA, GPG13, FISMA, COBIT, ITIL, ISO, HIPAA and SANS Critical Controls.
New – and potentially rogue – devices can be spotted on the network with the help of a compliance monitoring solution, and it also enables a more efficient alert system. Imagine being able to view the entire network at a glance. This kind of functionality also helps isolate the root cause of security and network issues, which is of particular value in virtualized environments where problem root causes change over time.
Organizations can realize ROI quickly when deploying automated compliance monitoring. For example, a financial services firm was required to produce quarterly GLBA compliance reports. It was a full-time job for three IT system administrators for three weeks per quarter. During this time, they would manually parse terabytes of logs to find all instances of specific security events such as unauthorized server access.
When the automated solution was put in place, all security events pertinent to their compliance needs were instantly tracked, correlated and delivered as pre-configured reports and dashboards. In addition to automating GLBA compliance for security, the company also gained health-of-network visibility into server and application performance and availability.
Raise Your Compliance Expectations
The outbreak of data breaches will continue to drive home the need for stronger security. As organizations look for ways to protect their critical data, maintaining compliance with IT security mandates such as PCI, SOX and HIPAA is more important than ever before. However, as we continue to see, compliance does not necessarily equal security. Rather than simply checking off a list of compliance requirements, organizations are best served by paying attention to their specific compliance process.
An automated compliance and reporting process reduces the IT admin burden by an order of magnitude and enables IT staff to focus on what is actually important. These features offer instant ROI, a fact that is augmented by the savings that come with being compliant. Streamlining the internal audit process is not only a best practice – it also helps IT staff and executives alike to rest easier in the face of potential outside audits.
About the author:
Dan Maloney is vice president of marketing and business development for AccelOps, the leader in actionable security intelligence for the modern data center. Maloney has nearly 20 years of experience in the enterprise software arena, serving as general manager and global vice president for eCommerce at SAP. Dan was at SAP for 12 years, where he held a variety of leadership roles, including global vice president of business development, focusing on selecting, structuring and enabling SAP’s partnerships for cloud, mobility and traditional on-premise software.