Compliance strategies for the midmarket

For free advice and resources on more IT and business topics, visit our list of IT Management Guides.

Table of contents

Compliance takes log data to next level

Table of Contents

[Shamus McGillicuddy, News Writer]

Three years ago, PCI auditors came to Peter Boergermann and asked him what his IT organization was doing with its log data.

Network devices, servers, PCs, applications, firewalls and most other devices and software in a corporate system retain a log of every information transaction conducted on that machine. The log data is a virtual fingerprint of activity that takes place on a company's system. But gathering and making use of that data can be a challenge.

Boergermann, associate vice president, MIS technical support manager and IT security officer at $1.1 billion Citizens & Northern Bank in Wellsboro, Pa., said the PCI auditors had just gone through training on the importance of log data to compliance.

"They asked, 'What are you doing with your logs? Who's looking at them? How do you react to them? What changes do you make based on your reactions?'" Boergermann said of the auditors, who are charged with checking a company's compliance with the PCI security standards. "We weren't doing a lot with logs. After listening to their questions, we decided to start reviewing our options."

   Find out what the bank learned in "Compliance, security take managing log data to next level." Also:

• PCI Data Security Standard compliance -- Three steps to success (SearchSMB.com)
  With 12 requirements, the PCI Data Security Standard can be daunting for resource-strained SMBs. Follow these steps to ease the pain and keep your customer data safe at the same time.
• Are PCI auditors pitching products? (SearchSecurity.com)
  Auditors shouldn't be pitching remediation services or products to bring a company into compliance with PCI DSS rules, but some merchants are reporting the practice.

Sarbanes-Oxley compliance costs drop

Table of Contents

[Shamus McGillicuddy, News Writer]

The financial burden of SOX compliance is slowly (but surely) starting to ease.

The cost of compliance with Section 404 of the Sarbanes-Oxley Act declined by 21% in fiscal 2006, according to a survey by Financial Executives International. The Florham Park, N.J.-based organization found the average company spent $2.9 million on SOX compliance in 2006, versus $3.8 million in 2005 and $4.5 million in 2004.

"Technology has a lot to do with the cost reduction," said Sanjay Anand, chairperson of the Sarbanes-Oxley Institute. Public companies "are actually automating their controls. A good 20 to 30%, even as much 40%, of the cost reduction is actually coming from automated controls rather than manual controls."

These cost reductions have come despite the fact that auditors' fees have remained relatively steady, the research revealed. External auditor fees dropped by just 11% in 2006, from $1.35 million to $1.2 million.

   Learn more in "Sarbanes-Oxley compliance costs drop, better processes credited." Also:

• SEC makes good on promise to clarify guidance on SOX (SearchSMB.com)
  The Securities and Exchange Commission (SEC) makes good on long-promised new guidance for the bugaboo of Section 404 of the Sarbanes-Oxley Act.
• Sarbanes-Oxley advice for smaller public companies (SearchCIO.com)
  Smaller public companies have had more challenges when it comes to preparing for SOX. But as of Dec. 15, the SEC will start cracking down. In his latest column, James Champy offers some tips for those trying to do more with less in achieving compliance.

Regulatory compliance -- Stay ahead

Table of Contents

[Justin Korelc, Contributor]

As an IT manager of a small or medium-sized business (SMB), you may find yourself asking, "How can we affordably and effectively store and archive data to meet regulatory compliance demands?" It sounds like a daunting task, indeed. But who doesn't love a good challenge?

The key to regulatory compliance is the ability to enforce and monitor security policies and processes at any given time, all of the time. And an SMB must plan and maintain an effective security strategy for its business infrastructure from the onset to serve as a solid foundation for regulatory compliance.

Of course, early precautions taken against security breaches and network vulnerabilities are much easier and less costly than late reactions to a direct violation. So remaining on top of relevant security issues as they change with occupational considerations and operational environments is key.

   Learn more in "Regulatory compliance -- Stay ahead to keep on top of issues." Also:

• Insider threats thwarted in simple steps (SearchSMB.com)
  Don't wait for new SMB-specific offerings before you prevent insider threats. Leverage your existing systems with simple planning and integration.
• Security buy-in starts at the top (SearchSMB.com)
  Security gets more buy-in from business execs now that Sarbanes-Oxley is here, but it's still a tough internal sell. CIOs must reach out to business managers to ensure that security is a priority in every technology project.

E-discovery must be a team effort

Table of Contents

[James M. Connolly, Contributor]

IT organizations have survived Y2K, the Sarbanes-Oxley Act, HIPAA and other compliance issues that more or less have an end in sight once the deadlines have been met. But there's one hurdle for CIOs at small and medium-sized businesses (SMBs) that never really ends: the emergence of rules relating to electronic discovery, or e-discovery, of corporate communications and documents in court cases.

The rules relating to types of information companies must produce when involved in lawsuits are being defined by individual court decisions and changes to the Federal Rules of Civil Procedure (FRCP) that took effect in December. They affect companies of all sizes and in all industries. While larger companies may tend to be prime targets for lawsuits, SMBs are more likely to lack the IT and legal resources to deal with e-discovery.

"The biggest thing we have to do from a small-company perspective is to balance everything we have to do because we don't have the luxury of a big staff," said Dan Grosz, vice president of information systems at VIP Parts, Tires & Service in Lewiston, Maine. "We wear multiple hats, and I don't want to add yet another hat. I have enough to worry about without having to become a lawyer.''

Yet Grosz said he recognizes that he will have to work with legal advisers to understand how the evolving e-discovery rules will affect his IT operations. He will also have to educate business-side users on the implications of e-discovery in their day-to-day communications.

   Learn more about e-discovery in "E-discovery must be a team effort." Also:

• Risky business: Talking to your company's lawyer (SearchSMB.com)
  An IT legal expert stresses the importance of good communication between a CIO and corporate counsel.
• The Evidence Is in the Email (CIO Decisions)
  What can email archiving technology do for you? Get you more storage space, improve system performance -- and make your auditors happy.

Laptop security best practices

Table of Contents

[Joel Dubin, CISSP, Contributor]

More employees with more laptops can mean greater exposure of your network to roaming security threats. And, in a worst-case scenario, a stolen laptop with sensitive customer data or proprietary company information can also expose the company to liabilities, legal or otherwise. Lost customer data can lead to identity theft and open the company to lawsuits. Lost proprietary information can damage the company's competitive edge, if not its business altogether.

Large organizations have sophisticated network defenses and firewalls to block malware from compromised laptops. For outbound threats, they may also employ complex content control systems to prevent the loss of customer data or company information. Not so for SMBs, which may operate simple firewall networks on a shoestring and don't have the cash to spend on expensive content filtering systems and software.

But there are solutions for SMBs that won't break the budget and involve little or no overhead. Many of these solutions rely on simple procedures and best practices that don't require bulking up stretched-thin IT departments or hiring a dedicated information security team.

There are three parts to laptop security: physical security, administrative access and technical controls.

   Find out more about laptop security in "Laptop security best practices." Also:

• IM security best practices for SMBs (SearchSMB.com)
  Instant messaging offers SMBs many benefits, as long as their systems are secure.
• Remote backup: Making the business case to your CEO (SearchCIO.com)
  CIOs are being forced to take a closer look at their remote backup plans as they staff more off-site workers and face continual compliance concerns.

More resources

Table of Contents

• Resource center: Compliance strategies for the midmarket (SearchCIO-Midmarket.com)
• Resource center: Compliance strategies and best practices (SearchCIO.com)
• Web site: Sarbanes-Oxley.com