Securing Compliance: System, Project or Process?

With regulatory demands continually increasing the burden on technology departments to provide transparency, database and application security products are growing in popularity as insurance companies look for ways to keep up. Requirements such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley and the Federal Information Security Management Act pertain to auditable security controls on information stored in databases, so why not begin compliance efforts where systems and processes already exist - database security? "Every IT security company in the world is now using the compliance buzzword," relates Michael Rasmussen, principal analyst, risk/compliance, Forrester Research (Cambridge, Mass.). But, "While some technologies may help in the compliance effort, none are end to end."

Still, IT security technology vendors are facing growing market demand. "There has been an increased awareness and interest in security solutions both because of an increased regulatory environment and all of the database breaches that have been taking place," explains Ted Julian, vice president, strategy, for New York-based Application Security Inc. (AppSecInc), a provider of security solutions. Now, insurers not only need to protect sensitive data - since regulations such as SOX demand accountability for the integrity of financial reporting - they also need to provide proof that they have effective security measures in place.

Combined Efforts

To maximize efficiency, some experts suggest that insurers augment existing security measures with compliance measures rather than look for end-to-end solutions. "The relation of database security to compliance is a way to get some funding for your company's security budget, shaking some dollars free and giving you time to really locate sensitive data," says Rich Mogull, research vice president, information security and risk, Gartner (Stamford, Conn.). Mogull recommends focusing on the design and control of company databases as a starting point for security and compliance best practices. "Starting with database activity monitors and filtering tools to find key pieces of information is the beginning of good security," he explains. "Reporting capabilities come into play next and have a large impact on compliance efforts."

According to Forrester's Rasmussen, the first step to optimizing security and compliance is understanding the scope of regulatory requirements and the documentation needed to satisfy regulators. "Insurers should first take a step back and look at the way their compliance and security efforts are organized, find duplicate technologies and build an infrastructure that supports the compliance requirements, beginning with documentation," he says.

One way to identify key requirements, according to Rasmussen, is to follow the Organizational Sentencing Guidelines, put in place by the U.S. Sentencing Commission in 2004, which allow organizations to mitigate sentences if they can demonstrate adherence to seven elements that establish an effective compliance program. "The seven elements are benchmarks for due diligence in regard to compliance," explains Rasmussen (see sidebar, previous page). "These guidelines further illustrate that there is no one solution for compliance, that it is a process and not simply a project."

AppSecInc's Julian takes this concept a step further. "Organizations should be moving compliance efforts away from just people and processes and toward infrastructure to remove the cumbersome manual tasks of documenting compliance controls," he says. Though people and processes are essential to keep an organization's compliance standards in line with regulatory expectations, infrastructure makes auditing much simpler and bolsters controls, according to Julian. "IT systems make compliance procedures granular, demonstrable and repeatable," he asserts.

The key is not taking the expectation on infrastructure and system solutions too far. "It is easy to get distracted by reporting capabilities and neglect the need for solid security measures," warns Gartner's Mogull.

For Your Eyes Only

AppSecInc's Julian points out that a common and dangerous assumption is that a firewall alone is a quick fix. "While perimeter protections such as firewalls are necessary, they are not sufficient to protect critical infrastructure from within the company," he relates. Real-time monitoring and vulnerability assessment should be layered in with perimeter controls and, finally, encryption, Julian asserts. "Sensitive data must be protected in layers and shielded from everyone on some level," he says.

Taking the opposite approach of Gartner's Mogull, Forrester's Rasmussen suggests that more security vendors should be looking to provide reporting capabilities. "One of the biggest neglects among vendors in the combined security and compliance space has been the facilitating of the requirement that organizations document policy procedures and controls," he explains. "A thorough system has the capability to turn out reports specific to regulations," Rasmussen continues.

---

Where Do We Start?

One way insurance companies can identify key regulatory requirements, according to Michael Rasmussen, principal analyst, risk/compliance, Forrester Research (Cambridge, Mass.), is to follow the Organizational Sentencing Guidelines, put in place by the U.S. Sentencing Commission in 2004. He summarizes the seven elements below:

1. Documentation - An organization has to document policy procedures and controls.

2. Oversight - Someone must oversee compliance from a high level.

3. Personnel Screening - Access privileges must be granted with discretion.

4. Training and Awareness - Individuals in the organization must understand their compliance roles and responsibilities.

5. Monitoring Controls - Monitoring and auditing controls must be in place and effective.

6. Consistent Enforcement - Compliance standards must be consistently enforced.

7. Incident Response Process - Offenses must be responded to appropriately to avoid further misconduct.