Thursday, March 26, 2009

Buying compliance

I have been thinking a lot about the price of compliance lately. Almost every day I get unsolicited emails from a vendor (frickin' provide-your-email-to-get-IT-content websites) pitching their product with the big label SOX COMPLIANT, HIPAA COMPLIANT in big letters (sorry for shouting, but those were direct quotes).

I still can't figure out how such misleading claims can be so prevalent. Take SOX compliance. SOX says precious little about information security, and only concerns itself with security insofar as it touches on financial controls. In other words - SOX requires you to have that security in place that prevents people from cooking your books. SOX says nothing about firewalls, and yet many firewalls are advertised as SOX compliant. 

Now part of this FUD undoubtedly originates with auditors. From my experience audit firms send their heavyweights for the financial part but tend to send some pretty inexperienced folks to do the IT audit. These recent grads sometimes are political science graduates who realized that all the good jobs are gone, did a quick CISA, and *poof* became auditors.

Here's a quick reality check for all of us in the information security industry - the IT audit is just a sideshow in the financial audit, and a pretty minor sideshow at that. And when it comes to being in IT compliance, the lion's share of that is your user access security. I'll say that again in case you missed it - when IT systems are responsible for the inaccuracy of a company's financial statements, it's because of programming errors, broken reporting processes, or someone having access to a system they weren't supposed to. It's almost never (at least not as far as I know) because someone managed to take advantage of the fact that Apache wasn't patched on the web server. When the auditor comes with a cookie-cutter checklist, you will usually be able to provide compensating controls for technical deficiencies but its much harder to fudge the integrity of your business processes.

The main area where you can fail a financial IT audit is in the area of user access to data and applications. If an organization has been sloppy about granting access to network shares or to critical systems, they are in material breach of some basic audit requirements. But there is no product in the world you can buy that will do this for you. Let me repeat that one more time because it contradicts at least 5 sales pitches you have heard in the last month - you cannot buy a product that will magically make sure everyone in your company only has access to the data they are supposed to have. This is because there is no product that can solve your office politics, and (despite the claims of some DLP vendors) there is no product that can really intelligently discern whether data is sensitive or not.

While we're on this can't-buy-me-compliance riff, let's not forget the buttons for "HIPAA Report", "SOX report" etc that some security products come with these days. There's almost a cartoon-like image to a SOX auditor coming in and asking for a report and the compliance manager saying, well, I'm glad you asked, I have this nifty SOX report button I will press here.

The somewhat heretical truth is that compliance requirements are basically the same across regulations, industry contracts, and even jurisdictions - make sure only the people who need access have it, make sure you know what happened when, and make sure you have a properly managed environment. But almost all of this is about process, not technology - and where there is a technological need, in most cases there are pre-existing modules or plugins that provide this functionality (I say in most cases, because there are some systems - most notably administrative credential management systems - that truly fulfill the spirit of compliance requirements yet have not been built into existing user management products).

The trend to built-in security and compliance has been underway for a long time, as the major vendors have integrated regulation-driven customer requests over the years. It will be hard for niche products to survive over time without being integrated into larger product suites for the simple reason that most organizations have a very strong incentive to limit the number of vendor relationships they have. Every new vendor represents a significant overhead in terms of sheer contact, interaction, contracts, etc, and of course the significant risk and complexity that it adds to the environment. 

So to circle back to buying compliance - the real costs of security related compliance are in the time and organizational capital required to bring about real business process change (the second half of that sentence sounds like buzz word drivel, but sometimes buzz words exist for a reason). While there are certain niche products that can assist with compliance requirements in certain industries, for the most part organizations - especially any midsize company - can get compliance by leveraging functionality in their existing infrastructure.

1 comment:

Note: Only a member of this blog may post a comment.