RealTime IT News

Compliance Issues Still Bedevil IT

Every time another company is reported to be in breach of compliance, an enterprise IT professional dies a little.

The options are so many and real solutions are so few that most IT staff fear they'll be caught napping.

And no wonder: The cost of a breach, from discovery, notification and response to regulatory fines to restitution to other liabilities such as civil penalties, are astronomical, as giant retailer TJMaxx found out. Conversely, organizations that invest in privacy programs could see gains of $400,000 a year due to the reduced probability of a data breach and greater employee and process efficiency, according to Forrester Research.

In a survey of 491 IT professionals attending the recent RSA Conference and Infosecurity Europe 2008 by Shavlik Technologies found that about 76 percent of them were either concerned or highly concerned about compliance with various mandates such as PCI-DSS , ISO 27002 or Sarbanes-Oxley.

It should be noted, Shavlik is hardly a neutral party. The company offers the Shavlik Security Suite, which automates assessments and remediation, and includes application control to help IT get rid of unwanted applications and keep them out. It also offers configuration and change management solutions, and custom reporting and analytics capabilities.

PCI-DSS looms largest in the minds of IT security professionals because, "even though the other two are law, PCI is better than law -- you can deny retailers the right to accept credit cards or raise their rates to the point where it's unacceptable," Nancee Melby, senior product manager at Shavlik Technologies, told InternetNews.com.

"Can you imagine a hotel which can't accept credit cards?"

By October, applications used by retailers at the point of sale must be "demonstrably secure", Melby said, adding that retailers are very concerned because "they don't know when to report that something is breached, or what to do when somebody's hanging an iPod off a system that's used to collect credit card information from all the various systems you have in a restaurant."

The survey respondents used 123 different solutions among them to manage the audit process. These ranged from home-grown applications to "a lot of systems" from various vendors.

That proliferation of solutions came about because, in the early days, many vendors were only offering vulnerability assessment tools, and didn't offer remediation solutions, so many enterprises had to buy different tools for assessment, remediation, ticketing and the other processes involved.

Then they had to try to make them work together.

Back to the future with patch management

Only about 61 percent of the respondents said they were satisfied or highly satisfied with their audit preparation processes. And small wonder -- the mishmash of tools jammed together led to doubts as to whether the tools were working effectively, and whether they were providing enough coverage of and information about the enterprise IT systems, Melby said.