Credit union takes top-down approach to compliance

By Elisabeth Horwitt 22 Feb 2006 | SearchSMB.com

Digg This!     StumbleUpon     Del.icio.us

Like many companies small and large, Pennsylvania State Employee Credit Union (PSECU) in Harrisburg had been taking a somewhat piecemeal approach to IT security and regulatory compliance. The credit union used Security Professional Institute templates to facilitate compliance with key regulations like the Sarbanes-Oxley Act. A compliance officer tracked regulations and notified Kevin Doyle, the credit union's information security manager, of new compliance requirements.

About three years ago, however, things began to change.

"We noticed that auditors were more knowledgeable and more serious about security, and the scrutinizing level had gone up," Doyle reported. He attributed this mainly to the Graham-Leach-Bliley Act (GLBA), enacted in 1999. To achieve compliance with GLBA, financial services firms need to identify vulnerabilities in electronic

Steps for compliance success Here are some basic steps to creating a successful security/compliance framework:   Do a gap analysis of current security practices and systems. Analyze this against a normalized control set such as ISO 17799. That tells you where you are versus where you need to be.   Prioritize your resources. Identify gaps in security policies and procedures, then put your resources where you'll get the biggest payback, not for regulatory compliance but for improving your security posture.   Normalize whatever policies you implement across the organization. Do an internal audit to determine whether security policies are consistently being followed.   Create a central repository for policies. Document policies and practices so you can prove compliance to auditors or litigators.

systems and assess the likelihood and impact of threats as well as the sufficiency of controls to mitigate those risks.

Doyle recognized that PSECU needed a more comprehensive and proactive approach to data security and privacy to not only comply with GLBA, but also to address data security and privacy needs for the organization and its customers. PSECU serves about 120,000 e-commerce users, primarily via electronic connections like the Web and e-mail, which are vulnerable to break-ins.

However, as a small firm with only 500 employees, the credit union had limited manpower to enforce security policies. "Security is done by me and one other person," Doyle said. The firm needed to define a formal set of security policies and then make sure "that everyone in the organization took the policies seriously, and knew their responsibilities."

Regulatory compliance can be a thorny issue for SMBs, particularly public companies in highly regulated sectors such as government and finance. "They have the same number of regulations to comply with as larger organizations, but they don't have the full time staff to cover them," said Patrick McBride, vice president of compliance solutions at Scalable Software LLC in Houston.

That's why small and midsized businesses (SMBs) need, as much as large companies, to take a top-down, policy-based approach to compliance, McBride suggests. Deploying new policies and procedures for each new regulation that comes down the pike is simply too costly and inefficient. IT and security people spend all their time fighting fires and reinventing the wheel. "Best case, you keep having more policies to follow; worst case, they overlap and conflict," he said.

French Caldwell, a research vice president at Stamford, Conn.-based Gartner Inc., said, "A bottom-up approach to resources is too diffused, and you end up overlooking things that turn out to be important. Companies try to leave no stone unturned, but not all stones are equal; and if you're an SMB, you can't get at all the stones." Furthermore, staff members often have no idea what key security measures have been overlooked -- until federal regulators or lawyers come knocking.

Companies try to leave no stone unturned, but not all stones are equal; and if you're an SMB, you can't get at all the stones. French Caldwell Gartner Inc.

Both small and large organizations need to step back and normalize their control set, policies and procedures, McBride said. "A good framework allows you to meet the broadest set of requirements across multiple regulations, without killing the IT department on the back end."

Fortunately, a number of standards organizations have come up with guidelines for implementing a policy-based regulatory compliance and security framework. These include International Standard Organization 17799; the IT Infrastructure Library (ITIL), which provides IT best practices in a variety of areas; and the IT Governance Institute's Control Objectives for Information and Related Technology (Cobit), which is often used by auditors.

The guidelines focus not only on how to comply with individual regulations, but also on improving the overall governance of the IT organization and how to prioritize resources to address areas of greatest risk, Caldwell noted. Companies that have followed 1799 and ITIL "have good security policies and documentable, testable controls in place, not just shelfware." Gartner clients who had implemented the guidelines "had a much easier time when Sarbox came along," Caldwell said.

IPSECU is working toward ISO 17799 compliance right now, with the help of Scalable Software's consultants and software. "Scalable took existing policies and did a gap analysis, to see what was needed for ISO compliance," Doyle said.

Doyle began ISO 17799 training in December. He said he hopes to lay out the scope of the project by May, and submit it to ISO auditors. "Then we have to document all the procedures to show we're following best practices," Doyle said, adding that he expects this part of the initiative to take about six months.

Once IPSECU has been certified as ISO 17799-compliant, "We need to build security practices into everyday tasks, make sure people understand that this is the way we do things from now on," Doyle said. "That'll be the hard part." For instance, "With new projects and security incidents coming at you from all directions, it's hard to remember to document everything."

However, Doyle said he expects the rewards to justify the pain. "We figure that if we're in compliance with ISO 17799, everything else will fall into place, including GLBA compliance."

This article originally appeared on SearchSMB.com.

Tags: Industry,  Lotus Notes Domino Email Compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry Lotus makes mobile partnerships and Notes Traveler top priorities IBM Lotus to end Notes/Domino 7.x support Are you ready for LotusLive hosted email services? Getting ready for Lotusphere 2009 Managing and maintaining mobile devices on Lotus Notes Domino Considerations for deploying mobile devices on Lotus Notes Domino Admin2008: administrators and developers speak up Developers mixed on direction of IBM Lotus R&D IBM showcases Notes/Domino 8.5; new products at Lotusphere Looking forward, IBM Lotus needs back-end improvements Lotus Notes Domino Email Compliance IT governance in an IBM Lotus software environment E-discovery rules double-edged sword for CIOs IM, blogs next target for litigation Symantec peddles enterprise vault tool Compliance software essentials: Build a technology toolbox School district hooks up affordable compliance archive Top 10 best practices for e-mail archiving Email archiving and compliance considerations Study: SOX-compliant firms see drop in costs in year 2 Top 10 best practices for e-mail archiving

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary