Best Practices: Staying Ahead of International Regulations
From carrots to sticks, a variety of recent regulations has presented a challenge to security managers. We ask a security expert where U.S. and European regulations are headed.
What’s a global company to do? Take the Health Insurance Portability and Accountability Act, add a dose of the Sarbanes-Oxley Act of 2002, plus European privacy regulations--which tend to vary in their precise interpretation and implementation on a country-by-country basis--and the number of regulations companies need to follow look downright onerous. Security managers, of course, must keep up to date with the latest regulations while keeping on top of ongoing intrusion threats.
To explore the current regulatory landscape and where it’s headed, and understand the proactive best practices for security managers, Security Strategies spoke with Marc van van Zadelhoff, vice president of marketing at Consul Risk Management, a United States- and Netherlands-based security and event management software company whose customers include Fidelity Information Services, Wachovia, The New York Times, Office Depot, Ford, and many government agencies.
What’s the current state of regulations companies need to meet?
What we're seeing is that the whole regulatory environment has just gotten a lot more serious. Look at regulations like the Health Insurance Portability and Accountability Act (HIPAA), which has gone from being a fuzzy and vague moving target to being defined.
Did HIPAA make companies sit up and take a hard look at security?
What I heard from a customer recently was that HIPAA was out there, but then the Sarbanes-Oxley Act of 2002 came out and made it a whole lot more real. The Sarbanes-Oxley Act has become the mother of all sticks to enforce a lot of corporate governance requirements that were out there.
And that’s pushed companies?
You really get the feeling now that people are really starting to do something about it. In Europe you also have the Basel II accords [for banking]. In the Netherlands, there are a bunch of little regulations that I couldn't get you to pronounce correctly, but they're all getting around similar topics of security and confidentiality. On both sides of the Atlantic you see a lot more people getting serious with regulations.
What’s Basel II?
Basel II—just very quickly—is all about lowering operational risk. [It links your] reserve levels to your operational measures to reduce risk. We had a customer recently down in Italy, a large bank, that adopted our solutions, and he said, "Your solutions allow me to lower my operating risks, which allows me to have a lower reserve ratio, which allows me to earn back what I'm spending on your product."
So that’s more carrot than stick?
Yes. Then there’s HIPAA, with fines, where literally, that's a stick. Sarbanes-Oxley, talking about tossing people in jail, that's certainly quite stick-like. Other things are also very carrot. Another customer that dealt with our solution recently, I called and asked, "Was it driven by regulatory compliance?" [Actually] it was driven by customers saying "I won't do business with you unless you’re secured properly."
The days of not being a regulated company are over, because there are enough companies out there that are regulated that you essentially comply with those regulations, too. And if not, Sarbanes-Oxley is telling me to be smart about protecting information, so then there are other standards out there like the ISO standard 17799, or the British standard 7799, as a way to become compliant with best practices.
Where are European regulations headed right now?
There are still a lot of country-specific rulings out there. Without mentioning countries by name or stereotypes, there are a lot of countries [that] say, "Our standards are better or more thorough." Here, the “Law of Personal Information” is Dutch, but a lot of these [laws] are derived from European Union mandates that have come out, but then they’re interpreted differently.
In a way, the Europeans have always been a bit further ahead on the privacy side. Then the U.K. is [ahead too]; look at the way they're treating opt-in lists for blanketing e-mails, or [their] developing British standard 7799. More than 150 companies outside the U.K. are  compliant in Europe, and part of it has been adapted to the ISO 17799 standard. One customer in Ohio predicts that within a few years, [they’ll just] have to use it. That's a look at the privacy regulations and security jumping the ocean.
Where’s the U.S. right now?
Well, on the other hand, the U.S. is known for its Giuliani, zero-tolerance, Sarbanes-Oxley. But the point being that the Europeans have done a lot on this, but then the Americans are taking it very seriously, and that's coming and meeting between the two very nicely.
What role does the security manager play in moving a company toward compliance?
Sarbanes-Oxley, HIPAA, that has executives' attention. The security managers are the ones implementing those solutions, really making them happen, spending a lot of their time getting the log files, running queries on them, keeping up with regulatory evolution and architecture, and [wanting to] make sure the network is actually in compliance.
How does your product fit into that cycle?
Consul InSight Security Manager is [for] security management and auditing, so it's within the IT security management space, and it [gathers] all the relevant information on who's doing what on your network, then combines all that information, categorizes it, aggregates it, and then … lets you go and analyze that versus your security policy. So we go and implement against these best practices templates built into our product. [For example,] your controller accessing financial information during the normal workday, yawn yawn, but your marketing department accessing it on the weekend—alert, alert. So … for example, you know if you’re in compliance with Sarbanes-Oxley.
What can proactive companies do to get a jump on not only current but future regulations?
With the Sarbanes-Oxley Act, because it's at such a high level, British Standard 7799 is a good place to start.
Is it difficult to meet so many different regulations?
It’s partly "pick the highest common denominator." In general, a lot of what we see is who touched the data and when. So, in general, [these regulations are all] at a high-enough level that you can do things to demonstrate compliance [across different regulations] and that works.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.