Wednesday, September 08, 2010
Article received from Stuart Cole,
Chairperson of Thought Leadership Panel
MANAGING CORPORATE GOVERNANCE SECURELY - COMPLIANCE, RISK AND IT GOVERNANCE
From Iain Chidgey, VP & General Manager EMEA, ArcSight
Organisations now face multiple forms of regulatory compliance that must be addressed within a framework of good corporate governance. With security management becoming more central to the executive decision-making process and a part of overall risk, IT professionals will need to present data in a management report format to business leaders; at the same time collecting the fundamental intelligence required to secure the network. Corporate governance, the system by which companies are directed and controlled, is key to ensuring the integrity of corporations, financial institutions and markets. Indeed, much of the recent clamour for good corporate governance has arisen from high-profile scandals, globalisation and increased investor activism.
Although evolving legislative and self-regulatory requirements have helped instil global market confidence, compliance with such requirements is of critical concern for many organisations. In addition to tighter financial reporting and auditing controls, much of the new regulation addresses retention and security of data. Regulations such as Sarbanes-Oxley (SOX), HIPAA, FISMA, PCI DSS, Basel II and a host of others (see Table 1), are placing greater demands on an organisation’s ability to demonstrate both regulatory compliance, and to ensure that its IT and business systems are sufficiently robust to fend off fraud or serious attack.
Compliance embraces both mandatory and voluntary implementation of controls and policies. Non-compliance and data or security breaches may result in regulatory penalties, loss of trust and lawsuits, but it is the potential impact on future business that is making compliance and IT security an important element of business risk.
Table 1: Terms of Regulation
|
Term |
What is it? |
|
PCI Data Security Standard (PCI DSS) |
A standard created by the Payment Card Industry (Visa, MasterCard, Discover, American Express) to help mitigate credit card fraud. Establishes twelve detailed requirements with audits for organisations that process, store or transmit cardholder data. |
|
Sarbanes-Oxley (SOX) |
|
|
Financial Instruments and Exchange Law (JSOX) |
Business scandals involving Japanese companies led the Japanese Financial Services Agency to create the Financial Instruments and Exchange Law, referred to as JSOX. Intended to increase investor confidence by implementing a framework for internal control reporting similar to SOX. |
|
Health Insurance Portability and Accountability Act of 1996 (HIPAA) |
Sets a standard for US covered entities (healthcare payers, providers and clearinghouses) to protect the confidentiality, integrity and availability of patient health information (PHI) while still allowing it to flow as necessary to ensure proper care. |
|
Federal Information Systems Management Act of 2002 (FISMA) |
Passed by US Congress in response to growing reports about the insecurity of federal information technology. Requires government agencies to institute an Information Security Programme to manage, report and periodically re-assesses risk. |
|
SB 1386 |
Also known as a “breach disclosure” law, this was the first US state law (enacted by |
|
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) |
A voluntary private sector organisation (American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the |
|
Control Objectives for Information and Related Technologies (COBIT 4.0) |
A standard published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA) intended to provide a common IT control framework compatible with COSO governance. |
|
|
The second Basel Accord, published in 2004, that mandates international financial services companies use a system of capital management to offset risk, isolate and manage both credit and operational risks and also reduce regulatory arbitrage. |
|
Gramm-Leach-Bliley Act (GLB or GLBA) |
The Gramm-Leach-Bliley Financial Modernisation Act of 1999 was passed by the |
|
NIST 800-53 |
The US National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-53 “Recommended Security Controls for Federal Information Systems” in 2006. The recommended security controls are meant to be used in conjunction with other standards and guidelines for the protection of information systems that support federal government operations and assets. |
|
North American Electric Reliability Corporation (NERC) |
A self-regulatory organisation that enforces standards to ensure reliability for the bulk power system in |
|
ISO/IEC 27002:2005 (ISO/IEC 17799:2005) |
Titled “Information technology – Security techniques - Code of practice for information security management” the standard is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It was first released as 17799:2005 and then renumbered in 2007 as 27002:2005 in order to maintain consistency with the ISO/IEC 27000-series. Revised from the British Standard (BS) 7799-1:1999 the standard contains twelve sections of security controls and their objectives. It has direct national equivalents in many countries. |
IT & Corporate Governance
Cultural, political and economic factors mean there is no ‘one size fits all’ approach to corporate governance. From a compliance perspective, while some organisations may only have to address two or three regulations, others may have to comply with dozens or more, depending on their countries of operation and the nature of their business. All retailers that process cardholder data, for example, must comply with PCI DSS. Similarly, any public company with a listing on a U.S. Stock Exchange must meet the requirements of SOX; or variants such as JSOX in
All information related to compliance resides within an information technology system and needs a secure environment to be input, processed and retrieved. This in itself is a challenge, given that security threats are more tangible than ever and continue to grow in several areas:
The emergence of cyber mafia and sophisticated criminals that hack for financial gain rather than prestige
Malicious or careless insiders leak proprietary/confidential information (i.e. databases)
The threat posed by criminal/terrorist groups (especially to public sector organisations)
An ‘ISO over NIST’ approach, which combines the technical frameworks of the ISO/IEC and NIST 800-53, could be an effective approach to both IT security and responsible corporate governance. By incorporating these standards as part of the overall strategic process, organisations are able to ensure that critical controls are in place to deliver IT governance in accordance with their operational requirements at a national and international level.
However, to achieve this, it is necessary to monitor and report across the full range of audit, business and security controls. In most cases, this falls under the umbrella of IT management, which could be dealing with many millions of events in their logs each day, generated by multiple data sources: anti-virus, firewall, intrusion detection and prevention systems, databases, operating systems, applications and directory services. Automation of the collection of relevant data, Security Information and Event Management (SIEM) provides organisations with a cost effective approach to achieving necessary compliance and improving security.
Lowering costs & increasing competitiveness
Through SIEM, organisations can minimise the labor and human-error component of compliance initiatives by collecting and correlating relevant enterprise events across all locations and sources in real-time. This will detect compliance violations, data breaches or other fraudulent activity. Compliance management information can be visualised using graphical dashboards and reports that simplify and automate audits.
Key features include:
Automated deployment and discovery of network devices and policies
Role-based configuration wizards
Standardised audit controls to provide an accepted set of reference controls
Real-time and historical reporting
Using these reports, both internal and external auditors can randomly ascertain an organisation’s compliance to specific regulations. Equally important, management can leverage SIEM to monitor how the organisation’s compliance posture fluctuates over time. Furthermore, expanding the scope of compliance initiatives beyond the letter of the law to safeguard assets and protect the integrity of business and operational processes, allows organisations to gain competitive advantage.
For example, a consumer-focused banking organisation recently acquired a large number of smaller companies. Using SIEM enabled it to integrate numerous disparate IT systems and policies under a single governance framework in a matter of weeks as opposed to months – freeing up IT management to address other high-value projects.
Managed Security Service Providers (MSSP) can also benefit from SIEM. Their customers typically generate hundreds of millions of events each day that would be impossible to analyse individually. Using the correlation and prioritisation tools that SIEM provides reduced these events to as little as ten per day.
Increasingly, compliance and security management is no longer the responsibility of the network administrator alone. All areas of business management – from boardroom, CIO and CSO level, through to legal counsel and operations – are now involved. While executives at boardroom level may be less concerned about the bits and bytes of security, and more about the business of security and its impact on the bottom line, SIEM can provide an holistic solution. By delivering the information required to answer the questions posed by corporate compliance, management can ensure that stringent controls are applied to regulate business processes and systems in a cost-effective, secure environment.