7 Signs You May be Violating Security Compliance Regulations
By Jim Obsitnik, Vice President of Marketing, Everdream
Poorly managed desktops and laptops expose companies to major compliance and
security problems. These devices, which are often left susceptible to both internal
and external threats, can lead to a loss of control over sensitive customer
information and massive losses in the cost of responding to the incident. Companies
face a slew of information security regulatory requirements under federal and
state laws such as GLBA, Sarbanes-Oxley (SOX), and HIPAA.
Given the current pressures to account for all aspects of a companys
critical information, effective desktop management capabilities are fast becoming
essential to meeting todays requirements. The question isnt whether
a company should deploy and maintain computers and related software applications
securely, but rather how it should do so.
The core tenets of information management compliance regulations can be broken
down into three categories: ensuring the confidentiality of sensitive information
(GLBA, PCI); protecting data integrity by eliminating unauthorized creation
or modification (SOX); and guaranteeing information availability during mandated
time periods (HIPAA).
Wondering if you're at risk of violating security compliance regulations? The
following "7 Signs" can help determine your compliance status and
develop a game plan to avoiding regulatory action.
1) You Struggle with the Ability to See and Manage Software Configurations.
Software vulnerabilities provide a method for hackers to gain access to protected
systems. Almost all regulations require that a software configuration management
solution is in place. Visibility into software configurations and the corresponding
ability to make automated changes allows software updates to be distributed
to remove any vulnerability inherent in installed software. Configuration management
systems should be able to accomplish the following:
Asset discovery to guarantee all systems are identified together with their
Software updates and patch distribution to non-compliant systems
Record of all activities
Roll back of any updates in case of incompatibility
The typical challenge for deploying a configuration management system is the
amount of time and investment required to getting it up and running. Until confronted
with a compliance obligation, many organizations have a limited solution in
2) You've Yet to Implement Company-wide Antivirus Control
One of the methods used to exploit software weaknesses is a virus. Viruses
can come in many forms depending on the intent of the virus writer. Although
many viruses are designed to do damage, some are intended to compromise the
target PC. Examples of this type of behavior include:
Trojan horses to take over control of the PC
Spam distribution programs
Storage of illegal content
In order to provide comprehensive antivirus control, prevention, detection
and correction of any virus activity must be in place. Detection and prevention
consists of deploying an antivirus solution. However, to be effective, the virus
definitions must be continually updated to make sure new virus infections can
be prevented. In addition, vendors periodically provide updates to the antivirus
scanning engines. These patches must also be distributed and applied quickly
as it only takes one unprotected machine to enable a virus to cause a security
breach. As with configuration management, this can take considerable resources
and cost to maintain.
If a machine does become infected, it is imperative that it is disinfected
as soon as possible. This can prove difficult if the infected machine is remotely
located. One of the approaches for remote PCs is to use a web-based remote control
utility to try and initially solve the problem. In the worst case, a whole new
machine may be needed. No matter what the situation it is crucial that no information
is lost. Having an adequate data backup capability helps reduce the damage and
cost of viruses.
3) You Lack the Ability to Monitor PC Resources
To operate reliably, most operating systems need to have memory available for
temporary storage of information. If the storage capability becomes limited,
the operating system may crash causing data to be lost. Furthermore, processor
utilization may be compromised by a virus. Monitoring the usage of processor
and storage is a good way to detect any unwanted computer behavior and prevent
future system failures.
4) You Can't Gain Remote Access of PCs
Resolving problems on remote PCs, especially laptops, can be difficult and
costly. Having access to a PC remotely can save downtime for the user and reduce
operating expenses. If the initial diagnostic steps can be done remotely, then
users can be up and running in significantly less time. This capability does
come at a price. The remote connection software can also introduce vulnerabilities
by letting hackers have unwanted access to the PC. It is essential that the
remote connection is reliable and secure. Many regulations include requirements
that ensure that any remote connections are deployed in a secure fashion to
prevent compromise by hackers.
5) You Have No Reliable Data Backup System
As can be seen from the previous vulnerability examples, computers can be compromised
resulting in the loss of data on them. This can cause considerable financial
damage to a corporation in addition to violating regulatory requirements for
information retention. Many financial regulations require that transaction records
are made available through data backup measures. For locally connected systems,
this can be accomplished using data backup utilities across the network. However
for remote systems, managing the external connectivity necessary for the data
backup utility to function can cause headaches. Furthermore, continual planning
is needed to ensure that enough space is available to contain all of the information
generated. This typically requires a storage buffer to be made available as
new equipment is approved, purchased and deployed.
6) You Have No Way to Retrieve Stored Data
There is always the issue of retrieval of the stored data. In the case where
laptop solutions are deployed, it may be essential to provide immediate access
to the stored copy. This may require that emergency personnel are available
24x7 to address data retrieval. Today many corporations are not implementing
complete backup solutions for PC data, especially data on laptops, not only
violating regulatory requirements but also running the risk of permanently losing
7) You Can't Encrypt Data on PCs that are Lost or Stolen
Ensuring that information is only accessed by authorized users is a universal
regulatory requirement. Information targeted by regulations must be protected
at all times. With the proliferation of laptops, the loss of control of data
is a key concern. Many regulations mandate that protected data is kept in an
encrypted state both when it is in transit and when it is at rest. A key challenge
to meeting this requirement is making the encryption process seamless to end
users. This will allow the data to be automatically protected as soon at it
is generated or received. Even when a laptop is lost or stolen, critical data
must still remain protected. Failure to do so will not only mean that the data
is compromised but also that the regulations have not been met.
Government agencies, industry consortiums and standards organizations continue
to generate new and revised regulations. More and more corporations are bombarded
by new compliance requirements that they find difficult to understand and conform
to. In many cases, these regulations provide little time to become compliant,
creating an unplanned, high-priority effort in order to respond. The initial
cost for establishing compliance solutions can be considerable both in terms
of capital expense and manpower.
By evaluating these "7 Signs", companies can quickly evaluate their
compliance risks and implement systems to keep pace the rapidly evolving regulatory
environment surrounding information management.
About the Author
Jim Obsitnik serves as Everdreamís vice president of marketing where heís responsible for all worldwide marketing activities. He previously served as the companyís vice president of product marketing, responsible for the go-to-market strategy and execution of all Everdream solutions, including channel and partner strategy.
Jim has over 15 years experience in the high tech and software development field. He has held engineering, consulting, product management and marketing positions with leading companies such as Mitsubishi Electric, Accenture, Netscape, and Commerce One. Prior to joining Everdream, Jim was the director of product management at Navis LLC in Oakland, California.
Jim holds a B.S. degree in Electrical Engineering from Princeton University and a M.B.A. from the Wharton School at the University of Pennsylvania.
For more information on security and compliance issues, visit http://www.everdream.com.