Don't Let IT Decisions Send You To Prison

Federal regulations establish broad requirements that impact IT systems and infrastructures that many IT managers find difficult to translate into real world actions...but that excuse will not save you in court. Almost all IT organizations are impacted by these regulations and you need to understand which ones affect you and what you can do about it. Under the Gramm-Leach-Bliley Act (GLBA), financial institutions of any size must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. If the institution is found to violate that notice, the institution is subject to fines of $100,000 for each such violation and the officers and directors of the financial institution are also on the hook for civil penalties of $10,000. If a customer data is compromised, and information not secured property, each customer record could be considered a violation. In that scenario, the penalties can escalate into the millions.

Sarbanes-Oxley (SOX) sets standards for all public companies in the U.S. including management, external boards, and their public accounting firms. One of the biggest impacts of SOX for IT organizations is section 404. Because of the impact of not complying with SOX, many CIOs are directly involved in ensuring their IT organizations comply with the requirements. Criminal penalties for violating SOX can include fines and imprisonment for those who knowingly violate the act.

SOX requires the usage of an internal control framework or set of best practices such as COBIT or ITIL that will enable specific application transaction processing management procedures. While SOX focuses on financial application transactions such as payroll, general ledger, accounts payable, and other ???key??? systems, because of the strict penalties for violation, most companies take a broad approach to ensuring control mechanism for every IT element that may somehow affect the balance sheet. IT. Application transaction controls and access controls are both critical for compliance. This includes not only the applications themselves, but also supporting systems, such as networks, operating systems and databases.

Health care organizations of all sizes must content with HIPAA, the act requiring controlling access to protected health information. HIPAA mandates that computer systems and electronic communications containing private health care information transmitted electronically over open networks can't be intercepted by anyone other than the intended recipient. If organizations violate HIPAA, the also can face civil penalties, fines and legislative hearings.

Any organization that stores, transmits or processes credit cards is also subject to the Payment Card Industry (PCI) standard. If they don???t comply, they can loose the privilege of processing cards. While some requirements such as installing and maintaining a firewall and not using vendor-supplied defaults for system passwords and other security parameters are straight forward, other requirements such as maintaining a policy that addresses information security and restricting access to data by the business can be more challenging to achieve. Over a dozen requirements that also tracking and monitoring all access to network resources and cardholder data as well as regular testing will likely involve a suite of tools from various vendors to accomplish the disperse set of tasks. These include anti-virus software, configuration management products, host-based security products, data protection appliances, and more robust password policy software.Worried about your social security number, tax history or military record? How about military troop deployment information, nuclear information technology and cyber-terrorism? All Federal agencies and their contractors are subject to the Federal Information Security Management Act (FISMA) that was intended to increase computer and network security. This broad reaching tries to setup a framework to ensure that information within the government is protected, but too often can be a paper process and not result in true security.

Missing in FISMA is the definition of what systems, or boundaries, are covered under the Act and any definitive way to classify the sensitivity, especially in civilian agencies, of the data itself. Instead, the act uses a series of averages to determine the overall risk of compromised systems.

FISMA also mandates hardware and software inventory of the systems and major applications that reside within the defined boundaries of the system. This inventory includes a level of detail that focuses on hardware make and model numbers, software version numbers, patch levels, and functional description of the purpose of the system.

Aside from regulatory audits and meeting best practice guidelines, policy management has a big impact on IT. Organizations need to understand what regulations impact them and how they can translate regulatory requirements into practical IT requirements. Watch for our upcoming article on policy management in InformationWeek and our discussion of some software vendors that can help.