Network Security: A Key To Regulatory Compliance

Experts give advice to VARs looking to capitalize on the security sales momentum created by regulatory compliance

From the boardroom to information technology departments, regulatory compliance rules and regulations are placing increasing security demands on companies of all sizes. Regulations such as SOX (Sarbanes-Oxley Act), HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), the Patriot Act, and Basel II require companies to strictly monitor and control access to information to protect against fraud, abuse, and data breaches. Failure to comply may result not only in financial liability and costly legal action, but also loss of corporate reputation and brand value. The ultimate goal is securing business processes, and compliance is a means to that end. Although achieving the goal of compliance can be a daunting task for customers, compliance continues to provide security integrators with plenty of good growth opportunities.

To get a taste of just how important security is to regulatory compliance, Craig S. Smith, director of channel sales for TriGeo Network Security, explains some of the specifics required by the Control Objectives of Sarbanes-Oxley (COSO). “Building an effective IT security infrastructure reduces the risk of unauthorized access. Improving security can reduce the risk of processing unauthorized transactions and generating inaccurate reports and can ensure a reduction of the unavailability of key systems if applications and IT infrastructure components have been compromised. The IT Governance Institute’s IT Control Objectives document, which provides specific recommendations based on COSO, specifically identifies the need for security monitoring control. The document states, ‘IT security administration monitors and logs security activity, and identified security violations are reported to senior management.’ These guidelines emphasize that compliance goes beyond check boxes,” says Smith.

Tom Zorn is the executive VP for VAD (value-added distributor) Alternative Technology. He says, “When you look at compliance, every aspect is touched by security. Businesses are trying to maintain the integrity of their data and the accountability of their data.” Zorn speaks from an interesting perspective, since Alternative is a distributor that focuses not only on selling security products, but also providing security training for its customers.

Regulatory Compliance Is A Moving Target
“One of the biggest trends in regulatory compliance is a rapidly changing regulatory landscape,” explains Kurt Roemer, chief security strategist for Citrix Systems, Inc. The landscape is changing because the regulations themselves tend to shift as do the technology and business requirements. For instance, as new archival technology is introduced, the regulatory requirements for an industry may have to change to adapt to the new technology.

Roemer adds, “Greater control and locale-specific regulations are the current hot trends driving the compliance industry. Regulations such as PCI DSS [the Payment Card Industry Data Security Standard] are setting a rapid pace for adoption and are seen as more specific and actionable when compared to previous regulatory requirements.” Add to this the specific requirements of individual states, countries, and regions, and it becomes clear that compliance is increasingly a catalyst for organizational and technical change.

There are efforts under way to eliminate the vagueness in regulatory compliance. Kurt Shaver, the VP and GM of the Americas operations for security software company GFI, says, “The trend today is to move away from vague regulations such as Sarbanes-Oxley and focus more on defined standards such as PCI DSS.” Standards authorities and legislators are realizing that compliance efforts cannot be based on vague or obscure details that consultants need to decipher. Sarbanes-Oxley was often derided as being so vague that many auditors weren’t even sure what companies must do. Standards authorities and legislators are outlining standards that are more clearly defined and that enable businesses to adopt them in an easier, more streamlined manner. The PCI DSS requirements are clearer, leaving less room for misinterpretation.

Start Simple When Entering Compliance
It can be very intimidating for new VARs to enter the security and compliance space. Alternative’s Zorn suggests VARs start simple. “One of the simplest ways to enter this market is to help your customers to develop simple network security policies. For instance, they should ask their customers if they have security policies in place. Ask them about their policies for Internet and e-mail access.” Starting that conversation can be the first step to helping your customer develop a security policy — whether they are controlled by regulatory compliance or not.

Most VARs will not be compliance experts. There are many consulting firms out there that specialize in working with companies to develop complete business plans to comply with industry-specific requirements. However, most of those consulting firms will only work with companies to develop those plans. They will not install and configure the technology to meet those objectives. That’s where the opportunities for VARs start. If you decide to take your practice to the next level — perhaps with compliance consulting — then it’s time to contact a VAD to learn about the next steps.

Avoid Common Pitfalls In Compliance
“One of the most common mistakes is when VARs do not fully understand the nature of the compliance initiative and sell a product or service that fails to meet the compliance requirements,” explains TriGeo’s Smith. “Customers understand that a layered approach often requires multiple solutions, so VARs must be very specific and clearly communicate what compliance requirements their solutions address — and what complementary technology can fill the remaining gaps — even if they don’t provide that technology.”

Citrix’ Roemer agrees. “The most common VAR mistake is not taking the time to actually read the regulation, and thus attempting to address compliance by proposing point solutions. Compliance requires a holistic view of organizational needs and is only adequately addressed through the implementation of a framework. The Application Delivery Infrastructure presents a strong framework for maintaining compliance.”

There is no silver bullet to solve all regulatory compliance issues. “There is no such thing as a totally automated, hassle-free solution that does everything at a click of a button,” adds GFI’s Shaver. “From a legal and regulatory compliance perspective, it is impossible for any business to become 100% compliant with any existing standard just by implementing software.” He’s correct. Compliance demands management’s commitment to changing business practices, evaluating business processes, and weeding out the good from the bad. It means defining and implementing corporate policies on network resource use and on security efforts. “Trying to sell a compliance solution by describing it as a ‘universal panacea’ or as the ‘elixir of long life’ will definitely backfire,” says Shaver. VARs should take the realistic approach and sell solutions by marketing them as tools that assist businesses in achieving important compliance efforts.

Source:www.bsminfo.com