Security by the book

In many ways compliance and security hold similar positions within the IT industry: both make wide and varied demands that defy simplistic solutions; both are consistently among the top priorities for the board; both require considerable expenditure, which many companies begrudge because it is seen as ‘dead' money, adding little to competitive advantage.

Yet it is a disservice to corporate regulations to portray them as unnecessary money-guzzling burdens. Section 409 of the Sarbanes-Oxley Act (SOX) compels US companies or those trading in the US to report any events which could affect the value of the company to their shareholders. And a security incident can have a major impact. A survey by the University of Texas' Information Security Centre of companies listed on Nasdaq found a breach in their security would hit their market capitalisation by 3% to 4% within 48 hours. It predicted an average timescale of six to eight weeks for that market value to return to the pre-breach limit.

Global standards

Security systems must be sensitive to a broad range of regulatory pressures – with different countries applying different standards, there can be discrepancies between what is deemed ‘best practice'. In some countries organisations are expected to account for outbound emails, potentially involving opening up employees' email; French law forbids it. Italian data protection law mandates that all passwords securing personal data must be at least eight characters long, so a multinational with Italian offices would have to take that into account.

The Californian Senate Bill 1386 stipulates that companies based or doing online business in the state must notify their customers if there is a breach in the security of personal information they hold. As Michael Colao, director of information management at Dresdner Kleinwort Wasserstein bank, says: "We're a global bank; we've got customers everywhere. Can I suffer the reputational risk, if there is a breach, of quickly calling my customers in California and nobody else? No way."

This atmosphere can prompt many businesses to apply more stringent policies than necessary, for example by keeping all emails, even spam and personal notes. But management headaches can be spared by spreading a consistent security policy across the whole organisation, based on a balance of all relevant regulations.

"You have to take into account industry and geographical standards," explains Mike Usher, group security advisor from international financial services giant Prudential Plc. "If the local law requires less than the group standards, we apply the group, and vice versa. Whatever we do we always maximise rather than minimise."


Case study: Novartis

Regulatory burdens have sparked a new software sub- industry aimed at helping companies meet their obligations. But these tools rarely provide instant compliance out of the box, and not every organisation can use a pre-packaged solution.

Andreas Wuchner-Bruehl, CSO of pharmaceutical giant Novartis, developed a tool called Setrasys, accessible from any web browser, to help employees cope with Sarbanes-Oxley. If anything untoward happens in the network, Setrasys notifies the relevant parties, whether that means the technical people needed to fix it or someone on the business side. While all the technical details are included – how long something has been wrong, what action is required and so forth – Wuchner-Bruehl believes this kind of detail is not what auditors want. “They’re not interested in which patch is missing where, they only care that something went wrong and it was flagged up and dealt with.”

He was forced to develop the tool himself, using QualysGuard, a vulnerability management service, because the market could not provide what he wanted, and it is now being made available to other companies. “There are great, really in-depth technical tools out there, but you can’t give them to an auditor, they won’t know what they mean. On the other side there are auditing products but they require lots of manual configuration. [Audits] need talking to.”

He believes Setrasys bridges the gap by showing the auditors that Novartis is monitoring security but also giving more technical details if required.



Reacting to each law individually is liable to create little more than a muddle, so companies are encouraged to find common requirements and embed as many as possible into an enterprise-wide security policy. Outbound email should be scanned and controlled so sensitive information cannot leave the company, and the network secured from hackers and malware so personal data cannot be captured and used maliciously. Policy management software may help to ensure different frameworks do not conflict and find common ground between regulations.

Business improvements

By easing the management burden, a policy-based approach helps companies get away from thinking of compliance as merely "ticking boxes" and towards improving their business. Having to demonstrate security in one area can lead to wide-ranging efficiencies in others. For example, section 404 of SOX demands the complete integrity of the financial information around which auditors' reports are based. Identity management can be used to prove who accessed what data and when, but it can also reduce company spending on helpdesk calls, by tackling the problem of forgotten passwords, and obviating the need for passwords to be reset.

Omar Hussain, senior vice president for marketing and product development at single sign-on vendor Imprivata explains that a large proportion of customer frustration at the helpdesk stems from forgotten passwords. "It's easier to make one point of entry ultra secure than to have many that aren't. That one method of authentication, for example biometric ID, might have been prohibitively expensive before. But now companies are saving on the helpdesk so they can afford to pay $100 a user."

Considering around 70% of a business's confidential corporate information is communicated via email, tight email scanning to complement a coherent and clear role-based policy is essential. Systems can be trained to search for certain information or phrases that should not be let out of the company and messages can be sent back to the sender or deleted.

But technology alone cannot solve the problems of security and compliance. Education is the key, says Shaun Fothergill, UK and Ireland security strategist at systems management software vendor Computer Associates, but threats should be explained in easily understood terms – such as people's salaries, profits, shares – not jargon. One of the most common problems today is that security is treated as a technical issue, says Fothergill, that results in the wider business not understanding the potential problems, and means users are frequently confused about their responsibilities. "If the security policy makes a thud when it lands on the desk, it's too big," he adds.

Most important of all, says Prudential's Usher, is the need to understand the business's priorities. Security and compliance should not get in their way.

"I'm not here to stop business being conducted," Usher says. "We have some 290 controls we measure against. Some we find we have fulfilled incompletely and we rectify them; other policies might have to be reduced if they are simply unachievable. Some are followed through without exception, but you can't let controls affect the business."

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics