In-Depth

Lack of IT Guidance Hinders Compliance Efforts

Continued use of legacy environments may result in charges of negligence

• By Stephen Swoyer
• 06/29/2004

From an IT perspective, one of the most vexing aspects of managing compliance with the Sarbanes-Oxley Act (SOX), the Health Information Privacy and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA) is a conspicuous lack of prescriptive technological guidance. Beyond frontline financial reporting and ERP systems, there’s little agreement about just how far an organization should go to ensure that its information systems are in compliance with these regulations.

Take the HIPAA privacy standards, for example, which prescribe penalties for the misappropriation of confidential patient information, but which lack specific technological guidance—i.e., documentation recommendations—for doing so. IT departments say the worst offender by far is Sarbanes-Oxley, which is so bereft of IT prescriptions as to be almost useless.

In the absence of prescriptive standards, experts suggest that best IT organizations can do is demonstrate due diligence. “These regulations don’t have a lot of specifics in them, and the sense is that [auditors are] just looking for companies to have a well-documented set of controls and processes and proof that they followed them,” says David Mann, security product strategist with systems management vendor BindView Corp. “For the data privacy stuff, the quality of what you do controls-wise is not so important as the fact that it’s documented. So it’s conceivable that some organizations will just try to document everything [to demonstrate] due diligence.”

In a legal and regulatory climate in which “due diligence” is viewed as an acceptable litmus test for compliance with SOA, HIPAA, and GLBA data-privacy and data-permanence requirements, however, some industry watchers say that many organizations could face impossible standards—or, as a result of cutting corners, set themselves up for a fall.

Consider the case of an organization that hosts one or more applications on a legacy operating environment such as Microsoft Corp.’s Windows NT 4.0. Admittedly, the difficulties associated with securing Windows NT 4.0 are legion, and with the sun scheduled to set on NT support this December, they’ll increase exponentially: Microsoft has said it will no longer patch security vulnerabilities or fix other potential operating system issues beyond the end of this year.

This begs the question: If the litmus test for compliance with the data privacy and data permanence requirements of SOX, HIPAA, and GLBA is exhaustively documented due diligence, could using a non-current, non-supported operating environment such as Windows NT 4.0 be considered prima facie evidence that organizations haven’t done the necessary due diligence?

It would hardly take an enterprising attorney to argue as much. “If [organizations are] just using Microsoft technology, that stuff was not built with these kinds of regulatory requirements in mind, so it’s very difficult to sort of granularly manage access controls, auditing, things like that,” says Kimber Spradlin, a product marketing manager with systems management and security vendor NetIQ Corp.

“I could see a lawyer claiming that, hey, Windows 2000 and XP and 2003 have been available to you for a significant amount of time now. You’d have to have your head under a rock to not know that they offer a lot more security and a lot more capabilities … Certainly a lawyer could take it and claim that that represented some level of negligence and not meeting due diligence.”

Suppose, for example, that an attacker—perhaps even a legitimate employee of a healthcare organization—is able to exploit a security vulnerability or a mis-configuration on a Windows NT 4.0 file server to obtain or disseminate confidential information about a patient. In the last three years alone, Microsoft has patched several flaws in the Server Message Block (SMB) protocol that is the lynchpin of Windows file sharing; who’s to say that the software giant won’t discover still more in the months and years ahead? More to the point, what’s to prevent an aggrieved plaintiff from arguing that the organization didn’t exercise proper due diligence—even if it had enabled Access Control Lists (ACL) and auditing on the server in question?

Further complicating things, notes Gordon Haff, a senior analyst with consultancy Illuminata, is the absence of precedent. “Obviously, there isn’t a whole lot of law here, and there really isn’t case law here. For example, where you can really point to specific examples of what is considered sort of proper due diligence and what isn’t?” he notes. “Absolutely, if there were an exploit against an unsupported legacy operating system—particularly if it was where there were known exploits, where they had known to be insecure—certainly, I think … somebody sort of looking to pin blame could absolutely consider not being up to date, not running a supported operating system as an example of not doing due diligence.”

In some ways, Windows NT 4.0 is a special case. By and large, it found uptake in most enterprise IT environments in support of file and print and department-level applications. Chances are that most existing Windows NT 4.0 systems have been replaced by or upgraded to newer versions (Windows 2000, Windows Server 2003)—or simply retired altogether.

But what about other, aging, legacy operating environments? Is it possible that the old SunOS box in your closet could be a compliance nightmare waiting to happen? What about that trusty HP 3000 for which there’s no easy upgrade path? It’s possible, say Haff and other industry watchers, but not likely.

“Microsoft is obviously not unique in this regard, and there’s a lot of older versions of operating systems that are not supported, and, for that matter, there’s currently supported versions that are not necessarily up to patch levels,” he points out. “Realistically, however, HP 3000s are not the prime targets for hackers these days. From a practical standpoint, it’s probably not nearly as big a problem with those older Unix systems, older mainframes, whatever, simply because they’re much less targets of attack than older Windows systems are.”

Or, to put it another way, how many flaws in HP’s MPE operating environment have you read about in the last three years?

Data privacy isn’t the only aspect of SOX, HIPAA, and GLBA that’s open to a substantial degree of interpretation. Depending on how you look at it, between all three bills, the data permanence (i.e., information authenticity) requirements give IT organizations just enough freedom to be creative – or (conversely) more than enough rope to effectively hang themselves in the event of a compliance infraction.

First, consider the SEC’s draconian enforcement of its Rule 240.17a-4(f), which says that data must be preserved and maintained in a manner that guarantees its authenticity. When the SEC defined Rule 17a-4f, it said that this requirement could only be addressed by so-called write-once, read-many (WORM) devices. After howls and protests from disk storage vendors such as EMC Corp. and Network Appliance Inc. (NetApp), the SEC ruled that any solution that implements a combination of hardware and software mechanisms to prevent tampering with data is acceptable. Thus far, EMC, IBM Corp., and NetApp (among others) have fielded compliance-friendly disk storage systems that support data permanence features.

SOX Section 802 is similar to Rule 240.17a-4(f), in that it prescribes criminal penalties for persons who alter or destroy records related to SEC investigations or bankruptcy proceedings. In this regard, Section 802 enforcement could probably stand to benefit from some technology guidance—e.g., is WORM technology a requirement, or can companies use disk-based alternatives that guarantee the accuracy and authenticity of data? As with so many other aspects of SOX, no such guidance is forthcoming, encouraging companies to also hedge their bets with respect to compliance with the data accuracy and authenticity provisions of HIPAA (for healthcare records) and GLBA (for personal consumer records), industry watchers say.

“If you actually look at how healthcare companies are behaving [with HIPAA], we see customers saying, 'I can take advantage of [data permanence capabilities] at the application level, so I don’t have to pay for it [in the storage device],'” says Krish Padmanabhan, director of Product Marketing with NetApp’s compliance and data protection solutions practice. “Some hospitals are saying that doing this [data permanence] at the application level is good enough, some others aren’t.”

Padmanabhan, too, thinks that the issue boils down to one of due diligence, although he suggests that companies that hedge their bets will probably end up paying a big price. “There’s going to have to be some prosecutions and some convictions before people start to keep their data in a permanent way.”