Home > Data Management News > Credit union takes top-down approach to compliance
Data Management News:
EMAIL THIS LICENSING & REPRINTS

Credit union takes top-down approach to compliance

By Elisabeth Horwitt
22 Feb 2006 | SearchSMB.com

News on data management trends and technology
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Like many companies small and large, Pennsylvania State Employee Credit Union (PSECU) in Harrisburg had been taking a somewhat piecemeal approach to IT security and regulatory compliance. The credit union used Security Professional Institute templates to facilitate compliance with key regulations like the Sarbanes-Oxley Act. A compliance officer tracked regulations and notified Kevin Doyle, the credit union's information security manager, of new compliance requirements.

About three years ago, however, things began to change.

"We noticed that auditors were more knowledgeable and more serious about security, and the scrutinizing level had gone up," Doyle reported. He attributed this mainly to the Graham-Leach-Bliley Act (GLBA), enacted in 1999. To achieve compliance with GLBA, financial services firms need to identify vulnerabilities in electronic
Steps for compliance success

Here are some basic steps to creating a successful security/compliance framework:  

Do a gap analysis of current security practices and systems. Analyze this against a normalized control set such as ISO 17799. That tells you where you are versus where you need to be.  

Prioritize your resources. Identify gaps in security policies and procedures, then put your resources where you'll get the biggest payback, not for regulatory compliance but for improving your security posture.  

Normalize whatever policies you implement across the organization. Do an internal audit to determine whether security policies are consistently being followed.

Create a central repository for policies. Document policies and practices so you can prove compliance to auditors or litigators.
systems and assess the likelihood and impact of threats as well as the sufficiency of controls to mitigate those risks.

Doyle recognized that PSECU needed a more comprehensive and proactive approach to data security and privacy to not only comply with GLBA, but also to address data security and privacy needs for the organization and its customers. PSECU serves about 120,000 e-commerce users, primarily via electronic connections like the Web and e-mail, which are vulnerable to break-ins.

However, as a small firm with only 500 employees, the credit union had limited manpower to enforce security policies. "Security is done by me and one other person," Doyle said. The firm needed to define a formal set of security policies and then make sure "that everyone in the organization took the policies seriously, and knew their responsibilities."

Regulatory compliance can be a thorny issue for SMBs, particularly public companies in highly regulated sectors such as government and finance. "They have the same number of regulations to comply with as larger organizations, but they don't have the full time staff to cover them," said Patrick McBride, vice president of compliance solutions at Scalable Software LLC in Houston.

That's why small and midsized businesses (SMBs) need, as much as large companies, to take a top-down, policy-based approach to compliance, McBride suggests. Deploying new policies and procedures for each new regulation that comes down the pike is simply too costly and inefficient. IT and security people spend all their time fighting fires and reinventing the wheel. "Best case, you keep having more policies to follow; worst case, they overlap and conflict," he said.

French Caldwell, a research vice president at Stamford, Conn.-based Gartner Inc., said, "A bottom-up approach to resources is too diffused, and you end up overlooking things that turn out to be important. Companies try to leave no stone unturned, but not all stones are equal; and if you're an SMB, you can't get at all the stones." Furthermore, staff members often have no idea what key security measures have been overlooked -- until federal regulators or lawyers come knocking.

For more information

How to pick the right SOX tool this year

Making the most of the SOX deadline extension
Both small and large organizations need to step back and normalize their control set, policies and procedures, McBride said. "A good framework allows you to meet the broadest set of requirements across multiple regulations, without killing the IT department on the back end."

Fortunately, a number of standards organizations have come up with guidelines for implementing a policy-based regulatory compliance and security framework. These include International Standard Organization 17799; the IT Infrastructure Library (ITIL), which provides IT best practices in a variety of areas; and the IT Governance Institute's Control Objectives for Information and Related Technology (Cobit), which is often used by auditors.

The guidelines focus not only on how to comply with individual regulations, but also on improving the overall governance of the IT organization and how to prioritize resources to address areas of greatest risk, Caldwell noted. Companies that have followed 1799 and ITIL "have good security policies and documentable, testable controls in place, not just shelfware." Gartner clients who had implemented the guidelines "had a much easier time when Sarbox came along," Caldwell said.

IPSECU is working toward ISO 17799 compliance right now, with the help of Scalable Software's consultants and software. "Scalable took existing policies and did a gap analysis, to see what was needed for ISO compliance," Doyle said.

Doyle began ISO 17799 training in December. He said he hopes to lay out the scope of the project by May, and submit it to ISO auditors. "Then we have to document all the procedures to show we're following best practices," Doyle said, adding that he expects this part of the initiative to take about six months.

Once IPSECU has been certified as ISO 17799-compliant, "We need to build security practices into everyday tasks, make sure people understand that this is the way we do things from now on," Doyle said. "That'll be the hard part." For instance, "With new projects and security incidents coming at you from all directions, it's hard to remember to document everything."

However, Doyle said he expects the rewards to justify the pain. "We figure that if we're in compliance with ISO 17799, everything else will fall into place, including GLBA compliance."

This article originally appeared on SearchSMB.com.

Tags: Sarbanes-Oxley compliance automation softwareBusiness intelligence case studiesCompliance IT Best PracticesFinancial data managementFinancial reportingVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2005 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts