Compliance Issues Still Bedevil IT

Every time another company is reported to be in breach of compliance, an enterprise IT professional dies a little.

The options are so many and real solutions are so few that most IT staff fear they’ll be caught napping.

And no wonder: The cost of a breach, from discovery, notification and response to regulatory fines to restitution to other liabilities such as civil penalties, are astronomical, as giant retailer TJMaxx found out. Conversely, organizations that invest in privacy programs could see gains of $400,000 a year due to the reduced probability of a data breach and greater employee and process efficiency, according to Forrester Research.

In a survey of 491 IT professionals attending the recent RSA Conference and Infosecurity Europe 2008 by Shavlik Technologies found that about 76 percent of them were either concerned or highly concerned about compliance with various mandates such as PCI-DSS , ISO 27002 or Sarbanes-Oxley.

It should be noted, Shavlik is hardly a neutral party. The company offers the Shavlik Security Suite, which automates assessments and remediation, and includes application control to help IT get rid of unwanted applications and keep them out. It also offers configuration and change management solutions, and custom reporting and analytics capabilities.

PCI-DSS looms largest in the minds of IT security professionals because, “even though the other two are law, PCI is better than law — you can deny retailers the right to accept credit cards or raise their rates to the point where it’s unacceptable,” Nancee Melby, senior product manager at Shavlik Technologies, told InternetNews.com.

“Can you imagine a hotel which can’t accept credit cards?”

By October, applications used by retailers at the point of sale must be “demonstrably secure”, Melby said, adding that retailers are very concerned because “they don’t know when to report that something is breached, or what to do when somebody’s hanging an iPod off a system that’s used to collect credit card information from all the various systems you have in a restaurant.”

The survey respondents used 123 different solutions among them to manage the audit process. These ranged from home-grown applications to “a lot of systems” from various vendors.

That proliferation of solutions came about because, in the early days, many vendors were only offering vulnerability assessment tools, and didn’t offer remediation solutions, so many enterprises had to buy different tools for assessment, remediation, ticketing and the other processes involved.

Then they had to try to make them work together.

Back to the future with patch management

Only about 61 percent of the respondents said they were satisfied or highly satisfied with their audit preparation processes. And small wonder — the mishmash of tools jammed together led to doubts as to whether the tools were working effectively, and whether they were providing enough coverage of and information about the enterprise IT systems, Melby said.

Page 2 of 2

Patch management is another problem — although respondents used a total of 115 solutions among them for this, 40 percent said they were unsatisfied with their current solutions and many still used manual processes for patch management.

Using manual processes seems strange in this day and age — after all, Shavlik, which began as a patch manager tool vendor, was doing this about 15 years ago. But enterprise IT departments were forced to resort to this because “the Windows Server Update Service (WSUS) and other Microsoft tools aren’t good enough,” claimed Melby.

Not only do these tools lack robust reporting capabilities, but WSUS “only covers a limited set of Microsoft tools” whereas enterprises also run tools from other vendors on their desktops or servers, Melby said.

And systems integrators may be able to use solutions like SMS to automate assessments and deployments, but “the scripting you have to do to get the reports you need is almost a full-time job,” according to Melby.

Top priorities for respondents were data protection and leakage prevention (53.2 percent); internal network security (51.8 percent); policy and regulatory concerns (43.8 percent); patch management (38.6 percent); and the security of virtual machines (32.6 percent).

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web