7 Signs You May be Violating Security Compliance Regulations

Untitled Document

Poorly managed desktops and laptops expose companies to major compliance and security problems. These devices, which are often left susceptible to both internal and external threats, can lead to a loss of control over sensitive customer information and massive losses in the cost of responding to the incident. Companies face a slew of information security regulatory requirements under federal and state laws such as GLBA, Sarbanes-Oxley (SOX), and HIPAA.



Given the current pressures to account for all aspects of a company’s critical information, effective desktop management capabilities are fast becoming essential to meeting today’s requirements. The question isn’t whether a company should deploy and maintain computers and related software applications securely, but rather how it should do so.

The core tenets of information management compliance regulations can be broken down into three categories: ensuring the confidentiality of sensitive information (GLBA, PCI); protecting data integrity by eliminating unauthorized creation or modification (SOX); and guaranteeing information availability during mandated time periods (HIPAA).

Wondering if you're at risk of violating security compliance regulations? The following "7 Signs" can help determine your compliance status and develop a game plan to avoiding regulatory action.

1) You Struggle with the Ability to See and Manage Software Configurations.

Software vulnerabilities provide a method for hackers to gain access to protected systems. Almost all regulations require that a software configuration management solution is in place. Visibility into software configurations and the corresponding ability to make automated changes allows software updates to be distributed to remove any vulnerability inherent in installed software. Configuration management systems should be able to accomplish the following:

  • Asset discovery to guarantee all systems are identified together with their software configurations
  • Software updates and patch distribution to non-compliant systems
  • Record of all activities
  • Roll back of any updates in case of incompatibility

The typical challenge for deploying a configuration management system is the amount of time and investment required to getting it up and running. Until confronted with a compliance obligation, many organizations have a limited solution in place.

2) You've Yet to Implement Company-wide Antivirus Control

One of the methods used to exploit software weaknesses is a virus. Viruses can come in many forms depending on the intent of the virus writer. Although many viruses are designed to do damage, some are intended to compromise the target PC. Examples of this type of behavior include:

  • Trojan horses to take over control of the PC
  • Spam distribution programs
  • Storage of illegal content

In order to provide comprehensive antivirus control, prevention, detection and correction of any virus activity must be in place. Detection and prevention consists of deploying an antivirus solution. However, to be effective, the virus definitions must be continually updated to make sure new virus infections can be prevented. In addition, vendors periodically provide updates to the antivirus scanning engines. These patches must also be distributed and applied quickly as it only takes one unprotected machine to enable a virus to cause a security breach. As with configuration management, this can take considerable resources and cost to maintain.

If a machine does become infected, it is imperative that it is disinfected as soon as possible. This can prove difficult if the infected machine is remotely located. One of the approaches for remote PCs is to use a web-based remote control utility to try and initially solve the problem. In the worst case, a whole new machine may be needed. No matter what the situation it is crucial that no information is lost. Having an adequate data backup capability helps reduce the damage and cost of viruses.

3) You Lack the Ability to Monitor PC Resources

To operate reliably, most operating systems need to have memory available for temporary storage of information. If the storage capability becomes limited, the operating system may crash causing data to be lost. Furthermore, processor utilization may be compromised by a virus. Monitoring the usage of processor and storage is a good way to detect any unwanted computer behavior and prevent future system failures.

4) You Can't Gain Remote Access of PCs

Resolving problems on remote PCs, especially laptops, can be difficult and costly. Having access to a PC remotely can save downtime for the user and reduce operating expenses. If the initial diagnostic steps can be done remotely, then users can be up and running in significantly less time. This capability does come at a price. The remote connection software can also introduce vulnerabilities by letting hackers have unwanted access to the PC. It is essential that the remote connection is reliable and secure. Many regulations include requirements that ensure that any remote connections are deployed in a secure fashion to prevent compromise by hackers.

5) You Have No Reliable Data Backup System

As can be seen from the previous vulnerability examples, computers can be compromised resulting in the loss of data on them. This can cause considerable financial damage to a corporation in addition to violating regulatory requirements for information retention. Many financial regulations require that transaction records are made available through data backup measures. For locally connected systems, this can be accomplished using data backup utilities across the network. However for remote systems, managing the external connectivity necessary for the data backup utility to function can cause headaches. Furthermore, continual planning is needed to ensure that enough space is available to contain all of the information generated. This typically requires a storage buffer to be made available as new equipment is approved, purchased and deployed.

6) You Have No Way to Retrieve Stored Data

There is always the issue of retrieval of the stored data. In the case where laptop solutions are deployed, it may be essential to provide immediate access to the stored copy. This may require that emergency personnel are available 24x7 to address data retrieval. Today many corporations are not implementing complete backup solutions for PC data, especially data on laptops, not only violating regulatory requirements but also running the risk of permanently losing critical data.

7) You Can't Encrypt Data on PCs that are Lost or Stolen

Ensuring that information is only accessed by authorized users is a universal regulatory requirement. Information targeted by regulations must be protected at all times. With the proliferation of laptops, the loss of control of data is a key concern. Many regulations mandate that protected data is kept in an encrypted state both when it is in transit and when it is at rest. A key challenge to meeting this requirement is making the encryption process seamless to end users. This will allow the data to be automatically protected as soon at it is generated or received. Even when a laptop is lost or stolen, critical data must still remain protected. Failure to do so will not only mean that the data is compromised but also that the regulations have not been met.

Summary

Government agencies, industry consortiums and standards organizations continue to generate new and revised regulations. More and more corporations are bombarded by new compliance requirements that they find difficult to understand and conform to. In many cases, these regulations provide little time to become compliant, creating an unplanned, high-priority effort in order to respond. The initial cost for establishing compliance solutions can be considerable both in terms of capital expense and manpower.

By evaluating these "7 Signs", companies can quickly evaluate their compliance risks and implement systems to keep pace the rapidly evolving regulatory environment surrounding information management.

About the Author

Jim Obsitnik serves as Everdreamís vice president of marketing where heís responsible for all worldwide marketing activities. He previously served as the companyís vice president of product marketing, responsible for the go-to-market strategy and execution of all Everdream solutions, including channel and partner strategy. Jim has over 15 years experience in the high tech and software development field. He has held engineering, consulting, product management and marketing positions with leading companies such as Mitsubishi Electric, Accenture, Netscape, and Commerce One. Prior to joining Everdream, Jim was the director of product management at Navis LLC in Oakland, California. Jim holds a B.S. degree in Electrical Engineering from Princeton University and a M.B.A. from the Wharton School at the University of Pennsylvania. For more information on security and compliance issues, visit http://www.everdream.com.

More by Jim Obsitnik