To many network security professionals terms such as "compliance" strikes fear into their very hearts. Why? Well, simply put, because the whole compliance issue is murky at best when it comes to the nuts and bolts of it.
Compliance and you
Well like a great many of you I was also rather confused by all this talk about compliance. Whenever the word was mentioned I could only ever think that compliance meant that you were adhering to a set of guidelines, or some such. In reality I was not really that far from the truth. What is compliance though, and how did this buzzword found in the IT world really come to be? Do any of you recall hearing about one of the greatest accounting scandals in the history of corporate America? If Enron comes to mind then you would be bang on the money.
What happened as a result of the financial shell game that the senior executives played at Enron was the collapse of an energy titan, or so the shareholders had thought. When all was said and done there was a very real toll. Many, many people who had invested heavily in Enron as part of their retirement savings saw their old age nest egg wiped out. That in turn caused a "perfect storm" of media coverage. This media coverage probably helped prompt the US Congress to pass what is now known as SOX aka: Sarbanes-Oxley Act. This act impacted directly, not only accounting practices, but also the IT departments of corporate America.
Just how does it affect me though?
The aftermath of Enron and other high-profile financial flameouts was the SOX legislation. Now the problem was, just how did the IT departments go about implementing it? SOX stipulated that all business records including electronic ones such as email had to be retained for a period of no less then five years. While you may be saying to yourself "big deal", it really rather is. This is especially true when the cost of not complying with such regulation can be a lovely cocktail of fines and possible jail time. That double threat really helps to motivate the IT manager let me assure you, as well as those above him or her.
Now what is indeed the tricky part of SOX and remaining compliant with it? You must have specific electronic records as spelt out in SOX saved for a period of no less then five years. As an IT person, just how do you go about doing that. Do you store all of these records onsite or do you go for offsite storage? What about backups for these critical records? Is there any software solution out there today that will help you deal with this problem? Actually there is one company that I was made aware of called RippleTech. Should you be looking for a compliance solution then you may wish to give their site a visit. Having the ability to quickly and confidently verify the various aspects of compliance is very valuable.
Well if you just checked out the link I supplied above you will see that there is help to be had in making sure that you are compliant with SOX. With the aftermath of mother nature's fury as evidenced by hurricane Katrina you may not wish to only store those electronic records onsite. That gives rise to another scenario that you will have to address. That of backups and disaster recovery planning. I won't go into detail on this as there was just recently an excellent series dealing with just that written by Ricky M. Magalhaes. Word to the wise, I would give that article series a read.
Well there is far more to the world of compliance than the SOX act. There are several others that various segments of Corporate America must contend with. Not all of them deal with financial records either. Most Americans I imagine are happy that HIPAA has come to pass as it deals patient records and their confidentiality for one. If you have never heard of HIPAA it actually breaks out to Health Insurance Portability and Accountability Act. There is more to HIPAA than the protection of and security of patient health related data.
Up to now in this article there have been very few security landmarks for us to relate all of this compliance with. By security landmarks I mean such tools as say nmap. Yes nmap will be of use to you in helping to secure those financial records. Having all the latest patches and security measures in place will be of little good if you don't realize that for some reason, say TCP port 135 is open on the router. That really would be a bad idea! Having a network scanner like nmap will help assure you that all is as it should be in terms of what ports are open by actively scanning your own IP addresses with nmap. After all you don't want those financial records to be somehow accessed by malicious hackers do you? There have been instances noted in the recent past of hackers encrypting the contents of hard drives for ransom as it were. With that in mind, rest assured that tools such as nmap seen below will most definitely still play a part in your compliance efforts.
The biggest threat to compliance
We have seen above that the electronic landscape for Corporate American has irrevocably changed. Since the introduction of legislation noted above there has been a lot of work going into ensuring one's compliance. The whole series of acts passed by Congress has really, if nothing else, led to a cottage industry which deals specifically with compliance. New software programs have been written, awareness campaigns have been launched, by yet there is still one iceberg looming on the horizon for many.
What I am referring to as the biggest threat as it relates to compliance is that of general confusion and misunderstanding of the very regulations passed such as SOX. Strangely enough quite a few executives still profess to being rather baffled by the language contained in these pieces of legislation. CSO/CIO's are all more than willing to make sure they are doing their part as mandated by law, but getting a grip on the nuts and bolts of the wording can be daunting.
This confusion and lack of clear direction is the last thing that we as the security professionals, who must actually do the hands on work, want to hear. All is not lost though. There are a variety of places that one can go to for clear cut advice. You may wish to go to the Office of Management and Budget website. One other place to go visit is also NIST or National Institute of Standards and Technology. NIST had done an admirable job of developing a methodology to aid you in your task of ensuring compliance.
Over the course of this article we have seen that, due to corporate sector accounting scandals, there are various legislative acts being passed. While these acts have been passed with good intentions, it can also be argued that they have also further muddied the waters as to exactly what one should do to become and remain compliant. There are resources to help you out of this quandary such as vendor supplied software solutions and some government related websites. What you really need to know is that the battle to remain compliant is an ongoing one that can and will have real consequences should you fail to do so. That is the sobering reality that you must deal with. Not only must you ensure normal network security procedures, but now you also have another layer of complexity to deal with. Just remember that standard security practices will still help you in the goal of becoming compliant. I sincerely hope that you enjoyed this article and as always welcome your feedback. Till next time!