Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Survivor's Guide to 2006: Security



The Case for Compliance

Getting funding based on fear is not a viable long-term option. About 40 to 50 organizations had public exposures in 2005, but that's a small minority of all U.S.-based companies. It's reasonable for business managers to rationalize that those companies had other problems, and such breaches won't happen to their organizations. Security administrators must push the business value of security purchases. Granted, articulating the business benefit of an IPS (intrusion-prevention system) is difficult, but regulatory compliance can be your friend in both getting funding for new projects and getting required security features into other IT projects. Pick your industry, and chances are a law like HIPAA (Health Insurance Portability and Accountability Act), Sarbanes-Oxley, GLBA (Gramm-Leach-Bliley Act) or FISMA (Federal Information Security Management Act) applies. Failure to comply can mean big fines.

But don't beat that drum too hard. The fines levied for noncompliance may be a pittance compared with the cost of purchasing and deploying products. The fine for unknowingly violating a HIPAA regulation, for example, is capped at $25,000 per incident.

2006 Survivor's Guide

??? Introduction

??? 2006 Priority

??? Security

??? Network and Systems


??? Apps

??? Messaging
??? Net Infrastructure

??? Wireless

??? Storage & Servers

However, the compliance angle combined with other motivators, such as improved processes, better protection and reduced risk of attack, can make a compelling argument, and if your organization is ever dragged into court, proving that it complies with regulations and best practices shows due care.

On the flip side, security product vendors are all waving the compliance flag trying to get your attention and your dollars. But which technologies satisfy which regulations? HIPAA and other statutes mandate and recommend some technologies' features, but technologies change. The interpretation of the law won't be settled until the courts settle cases. Work with your legal counsel when addressing compliance issues.

And don't think of compliance strictly in terms of products. Think of it as a multistep process that starts with stating what controls are needed to achieve compliance with a law or regulation, documenting how those controls will be implemented, providing the controls and proving that your controls are properly set up. HIPAA 5 CFR 164.312(d) requires that users accessing personal health information (PHI) be authenticated. So if your organization must comply with that act, you need a control, such as a user name/password, token or biometric authentication system. You also need a security policy statement that defines your authentication policy. And you must document the processes to ensure all users have a password.

  • 1