IT managers don't need to hear horror stories about TJX Corp.'s recent lapse of data security to know just how high the stakes have become when a corporation doesn't have proper data protection in place.
Although IT managers are already stretched to their limits, they are faced with the growing responsibility for regulatory compliance. Government regulations evolving over the last few years are firmly in place today, and it has fallen to the IT managers and those in the trenches to make sure safeguards are in place so that corporate data is protected.
Two regulations in particular, Sarbanes-Oxley and the Payment Card Industry (PCI) data security standard are garnering the most attention in IT shops.
Sarbanes-Oxley, also known as SOX, was enacted in 2002 in response to accounting irregularities at energy firm Enron Corp. The law sought to keep track of company finances more closely so that company officials could produce complete financial data more quickly for regulators. Sarbanes-Oxley alone is responsible for 5,000 to 20,000 man hours in 48% of IT shops per year, according to a recent survey by Gartner Inc., based in Stamford, Conn.
Enacted in 2004, PCI is intended to protect credit card holder data wherever it resides or is transmitted. The security breach at TJX, where about 45 million customer records were accessed is exactly what PCI is intended to prevent. In December, Visa offered its merchants and transaction services providers $20 million in incentives to comply with industry rules.
"PCI impacts any part of the IT infrastructure through which credit card data is transferred, viewed -- even home users connecting to the company need to be PCI compliant," said Alex Bakman, founder of compliance reporting software vendor Ecora Software Corp. in Portsmouth, N.H. "The only way a part of your infrastructure does not fall under this guideline is if it's physically separated, and that is not feasible for most organizations."
Privacy legislation requiring that companies publicly disclose information security breaches to customers is also in effect in 31 states. Compliance experts expect that it will not be long before all 50 states have such laws in place.
Then there are more industry focused guidelines, such as the Gramm-Leach-Bliley Act, designed to govern banks and other financial institutions.
More regulations mean more data scrutinized
All these rules and regulations mean that more and more data needs to be scrutinized. In fact, roughly 20% of the 161 exabytes of data created in 2006 are subject to compliance guidelines, according to research group IDC.
To ensure that organizations are following federal compliance regulations and other safeguards, government agencies regularly send auditors to companies to conduct checks. These auditors, who are becoming increasingly tech-savvy, are asking IT managers some tough questions -- and IT managers must be able to answer them and document the results.
In anticipation of compliance audits, some IT managers are being asked by their employers to sign and certify that their systems are protected against internal and external threats. These signed documents are becoming part of the audit trail when companies are pulled into compliance litigation.
And, in this process, the IT staff's role is changing -- not just in the hours they spend on compliance, but also how they approach every day tasks such as change management.
Compliance ranks high among daily tasks
IT manager Bill Grigonis said compliance remains high on the list of his daily tasks and has had an impact on just about every change made to servers and desktops at the American Bible Society, a $1 billion New York-based publisher of religious materials. "Everything we do focuses on regulatory compliance -- from the adds and changes we make to the servers down to the network. It's always in the back of our minds," he said.
Compliance has also caused IT managers such as Joseph Fleming, IT manager with Blue Cross Blue Shield in Helena, Mont., to become somewhat of a counselor to his staff as their work comes under closer scrutiny.
"There is a Big Brother mentality when the auditor comes in and wants to see how we track the changes we've made to systems, why we made them and who made them," he said.
Knowledge gained from IT compliance audits
There are many lessons to be learned from those who conduct audits and from those who have been through one, particularly IT managers left with the task of figuring out what the auditor, who IT professionals say speaks a different language, is looking for exactly.
Auditors also may embark on a path outside the realm they were initially called in to review, Grigonis said. "A lot of auditors ask for things that aren't part of our company guidelines [for an audit]. If we don't have a specific policy they'd like to see, they can make a recommendation for the next audit. We don't have to follow it," he said, "but we usually do because we want to have the right checks and balances in place."
In some cases, organizations run into problems before the audit even begins -- as was the case with one company that processes millions of dollars worth of credit card transactions. While it was getting ready for a PCI audit, the company sent out a request for proposals divulging sensitive information to several consulting firms that were asked to bid on its risk management project.
"They divulged too much information, to too many people, and didn't even realize it," said Ken Smith, a principal auditor with Akibia Inc., an IT consulting firm that specializes in PCI compliance audits and risk analyses. "They obviously didn't have any controls or policies in place."
Not only that, but the company revealed in the proposal that the wireless network it used to process credit cards was not secure or encrypted and that it did not perform background checks on employees who were given data access privileges, Smith said.
Good news and bad news about compliance
The bad news is that many compliance guidelines remain vague, and more seem to pop up every year. The good news is that many IT organizations that have been through an audit can benefit in many ways. For instance, after years of warning higher ups about security risks in their organizations, IT managers at last have support for improving processes within the IT environment overall.
The key to keep in mind is that while technology may be a growing piece of meeting compliance -- IT accounted for 5% of a SOX audit three years ago, but now accounts for about 30%, according to Bakman -- you should view it as a means of enforcing policies and not the end solution.
"A couple of years ago, every vendor said, 'My product will solve all your compliance needs,'" said Khalid Kark, an analyst with Cambridge, Mass.-based Forrester Research Inc.
"There is no one technology that addresses all your compliance needs. A good security framework is a function of people processes and technology, with technology playing a large role in the automation of policies and processes."