How to keep your company in step with compliance issues

Today's businesses are exposing their digital information throughout the extended enterprise. While information sharing has created new opportunities for collaboration, it has also opened the door for security and privacy breaches and created a need for secure information sharing and access.

Recent accounting scandals also created a need for tighter controls over procedures and liability for the accuracy of balance sheets and earnings reports.

The government responded to this need, resulting in new privacy and accountability laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. As your organization navigates and interprets the specific requirements of each law and applies them to your circumstances, you also need to align your IT resources to support and enable compliance.

To support compliance, you should create a policy that identifies the system requirements, includes a road map for its implementation and provides a document that demonstrates your compliance strategy to auditors. In defining your policy, you should consider implementing the following security measures:

  • Access control: Make information accessible only to those with clear business reasons to access the information using an authentication method.

  • Encrypted storage: Prevent internal or external parties from viewing information they obtained without authorization.

  • Post-access control: Control the actions that end users can perform with information they are authorized to view.

  • Role-based administration: Uniformly assign permissions to groups of users based on their role in your organization.

  • Auditing: Know who accessed the content, what actions were performed and when.

  • Immediate access revocation: Deny access immediately to information when it is no longer needed.

You can implement several technologies to support these security measures, and some may already be part of the security infrastructure in place at your organization. For example, inside the organization, server-side access control lists allow only authorized users to access content. At the perimeter of an organization, firewalls prevent unauthorized external users from accessing internal networks. Virtual private networks allow external devices to connect to an enterprise's internal networks in a secure fashion so that confidential information can be shared with external parties securely. Public-key infrastructure provides a security architecture that allows for content encryption and sharing of confidential information over the public Internet.

The above technologies provide secure information access and encryption. Beyond this, you need to protect your organization against trusted recipients of confidential information, who may accidentally or maliciously distribute the content. In most cases, the recipient has access to the content in its native format (such as a Microsoft Word document or an Adobe PDF) and is not restricted from saving, printing, copying or forwarding the content to someone else.

You should also be able to enforce a time limit for content access, and immediate access revocation when the time period expires. Secure collaboration systems address these aspects of compliance, by providing granular post-access control over information use, while enabling internal and external parties to collaborate on sensitive content such as earnings reports.

Without monitoring the performance of your systems, you can't prove compliance. You need to establish and maintain detailed audit trails of all activity surrounding compliance-related content. You should be able to monitor who accessed content; what actions, such as printing or cutting and pasting, were performed; and what changes, if any, were made.

It's also best to force saving content that has been changed as a new version. This preserves the revision history, which is especially important for Sarbanes-Oxley, which holds executives personally responsible for the accuracy of financial reports, and mandates a system of controls over the process of financial reporting. A combination of secure collaboration, accounting and enterprise content management systems provide this type of monitoring and version control.

In this regulated environment, it's not enough to protect your systems against end users inside your organization and outside intruders. You also need to limit the ability of administrators to access private health or customer information and confidential financial records. As you engineer your systems for compliance, you should include a system of checks and balances that, much like our government, distributes administration among several roles, such as auditor, security administrator and content administrator, while protecting content from administrators themselves. Dividing administration among several roles limits your exposure to security breaches by administrators.

Another way to ease administration and implement security is to assign roles, or profiles, to groups of users, rather than to assign permissions to each user on a case-by-case basis. For example, to comply with the privacy requirements of Gramm-Leach-Bliley and HIPAA, access to customer and employee records should be granted only to certain individuals who are responsible for interacting with the records or for updating their information. It is easier to create a group with access permissions that apply to the group and then add members to the group, than to keep track of the permissions applied to each end user. It is also much easier to demonstrate your compliance policy to auditors using groups.

A final consideration in your compliance policy should be the way the content is stored, backed up and restored. In some cases, you must retain content for several years, which suggests the use of archival storage media. In any case, you need to back up the content and be able to restore it with all of its relationships intact.

If you're ever audited for Sarbanes-Oxley compliance, you may be required to show current or former financial records and reports. It would be disastrous if, after going through the pains of implementing the controls mandated by Sarbanes-Oxley, you lost and couldn't provide the required information due to a glitch in your archiving, backup or business continuity procedures.

While compliance is a hot topic and a considerable burden today, the results and benefits of compliance should include improved information security and privacy; greater transparency of accounting procedures; and a compliance policy and architecture that will help you to keep pace with your evolving regulatory and business environment.

Elaine S. Price is co-founder, president and CEO of CYA Technologies in Trumbull, Conn., a provider of business-continuity and secure-collaboration solutions. She has been an entrepreneur throughout her 20-year career in enterprise computing and has been CEO of three companies. Her career in the enterprise computing industry includes roles in programming, sales and management.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon