Businesses Need to Take Control of Security, Compliance

Panelists from some of the industry’s leading consulting and integration companies warned that one-size-fits-all solutions don’t work when it comes to systems security and compliance with federal regulations.

Two panels, part of Ziff Davis eSeminars’ Consulting Leadership Virtual Symposium, on Thursday addressed systems security and compliance with federal regulations, hot topics among both clients and consultants.

In panel titled “Beyond SOX: Tactics and Strategies for the New Regulatory Environment,” panelists agreed that, before it’s possible to effectively automate compliance-related functions, it is necessary to take inventory of an organization’s existing technology, to learn where its data resides, what it does and who has access to it.

Tonie Leatherberry, a director at Deloitte Consulting of Deloitte Touche Tohmatsu, New York, said many companies rush to implement compliance systems without stopping to think out how the systems should evolve over several years.

That often results in what she called “Band Aid” solutions. But compliance is an ongoing requirement that require sustainable, dynamic programs, she said.

“I believe the regulations will continue to evolve and will continue to adjust and adapt over the next few years,” she said.

John Pironti, principal enterprise solutions architect at Unisys Corp. of Blue Bell, Pa., said it’s also necessary to take a programmatic approach to compliance processes themselves.

Regulations such as the Sarbanes-Oxley Act, which deals with corporate financial disclosures, came about because too many organizations were not putting in place the necessary controls, he said.

But those regulations call only for a baseline approach, and organizations should think beyond those minimum standards, because they will be better off in the long run, he said, adding, “We need to understand those regulations are here to stay.”

Pironti acknowledged that compliance poses some challenges, especially for companies doing business internationally. The regulations of one country can conflict with those of another, and, at minimum, they can be quite different. For instance, Hong Kong has very different privacy regulations from those of the European Community.

Panelist Bob Myers, resident and COO of Pillar Technology Group LLC in Southfield, Mich., said his company has taken the approach of helping clients become agile and proactive in responding to compliance requirements.

Myers said Pillar underscores to clients the importance of hooking business decisions directly to IT decisions, as opposed to making them independently of each other, so regulatory requirements become easier to manage.

“Good control and management equal a lack of risk,” he said.

Securing the network and the data within it was the topic of another panel, titled “Corporate IT Defense Challenges: Urgent Remedies for Clients at Risk,” during which panelists discussed the need for assessment and access controls.

David Sanders, director of the Critical Infrastructure Practice in the Public Services Sector at McLean, Va.-based integrator BearingPoint Inc., shared what he called a list of “good habits” for protecting IT networks.

For one thing, rather than focus only on threats, organizations must pay more attention to their vulnerabilities and areas of exposure, he said. Too often vulnerabilities are neglected, a dangerous practice that only comes to light after one of those weak points is exploited.

Other good security habits Sanders enumerated include having layered defense techniques, developing response and recovery plans, and enforcing user policies that make use of strong passwords and appropriately restrict user access. He also mentioned the importance of good network visibility—making sure you know what is in the network.

Panelist Ilene Becker-Yarnoff, a principal at integrator Booz Allen Hamilton Inc. in McLean, Va., focused on the need to protect privacy and comply with privacy regulations.

Though a number of laws have been passed to protect privacy, she said, the concept escapes easy definition and companies often are unaware of federal requirements concerning privacy.

If data on an individual can be found through reverse engineering from that person’s identification, she said, “There’s a strong need to look at privacy.”

To help organizations ensure privacy protection and compliance with federal regulations, Becker-Yarnoff said, Booz Allen Hamilton conducts assessments to ascertain how much of a company’s existing technology can be used to develop a security solution and how much new equipment and software is needed.

With the assessment completed, it is then possible to develop an investment strategy and budget, she said.

Another panelist, Ken Wortendyke, senior solution specialist at Dimension Data PLC, a service provider based in Hauppauge, N.Y., compared today’s IT security infrastructure to that of an airport, which must facilitate the movement of large numbers of people, but must do so securely.

“This is the world we face in our IT environment as well,” he said, adding that IT environments need solutions that minimize threats and provide multiple levels of access and consistent security without overburdening the IT support staff.