Print

Comment

Email

Digg

Del.icio.us

Reddit

Regulatory compliance remains a high priority for many companies, particularly those in industries such as financial services and health care. Some are turning to managed security services as a way to protect data and systems and to ensure that they are compliant with regulations.

Businesses face an array of security-related laws and regulations, including the Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley, Federal Information Security Management, California's SB 1386 and Payment Card Industry Data Security Standard. Beyond those regulations, many organizations are benchmarking themselves against industry standards or best-practices frameworks such as Control Objectives for Information and Related Technology, the Information Technology Infrastructure Library and ISO standards.

Reluctantly, companies are spending increasingly large sums of money on compliance. In March 2006, a study by AMR Research predicted that total compliance spending in 2006 will reach $27.3 bn. The study-based on a survey of more than 325 North American business leaders and IT professionals-also projected that spending on compliance will rise to $28 billion in 2007.

Three quarters of organizations worldwide must comply with two or more regulations, and nearly half (43%) must comply with three or more, according to a report by the Security Compliance Council-a group formed by the Institute of Internal Auditors, Computer Security Institute and BindView in 2005 to help organizations worldwide meet the challenges and cost of security compliance.

The study, called the 2006 Security Compliance Benchmark Research Report, surveyed more than 200 IT security and compliance professionals at corporate and government organizations worldwide. The findings say that organizations spend an average of 34% of their IT resources on satisfying security compliance for multiple regulations. Because of the way many organizations have set up their security-management function, chief security officers "appear to be ill-equipped to effectively manage the demands of demonstrating IT security compliance with regulations," the council report finds.

Some companies are seeking help from service providers rather than taking on the task of security compliance in-house. One third of the organizations surveyed by the council are employing professional service firms to "re-align the time spent on demonstrating compliance" and 17% are outsourcing or offshoring security compliance. Not surprisingly, many companies are searching for a payoff from escalating security investments.

Managed Compliance
The rise of managed security services is well-documented, especially in organizations where security isn't a core competency. A case in point: The Screen Actors Guild - Producers Pension and Health Plans (SAGPH) has been using Symantec's managed security service since 2002. SAGPH, which provides health-care and pension services to more than 45,000 members of the Screen Actors Guild and their dependents nationwide, began using the Symantec service to help securely expand its online pension and health-care services.

The Pension Security Act, which protects workers in the event of the collapse of a pension plan, requires that SAGPH expand its online services to include online pension-management tools, real-time updates to information, online reports and online customer support.

"The organization needed to improve the security of its expanding network. But SAGPH has a small IT staff and needed help developing strong security," says Kevin Donnellan, assistant CIO, SAGPH, Burbank, Calif. The organization considered hiring security engineers, but decided that it was too costly, and then opted for a managed service to monitor and manage its firewalls and intrusion-detection systems. "One of the unanticipated benefits is that SAGPH can ensure compliance with regulations, such as HIPAA, related to the protection and security of member health-care and pension information," says Donnellan. With the bolstered security and resulting HIPAA compliance, the organization's executives "can look at ourselves in the mirror and say we did the best we could with the resources we had," says Donnellan. "Yes, things could still go wrong. But at least we can go back and say we employed this large business partner that does this for a living."

Using Symantec's managed security services and software, SAGPH centralized its network security and automated administrative processes to improve efficiency. Another major benefit was cost avoidance. Between 2003–2005, the organization saved $706,000 by avoiding the need to hire security administrators. Another company, Addison Avenue Federal Credit Union, Palo Alto, Calif, has used a managed service from SecureWorks to protect its data since 2003. The service enables the firm to comply with Gramm-Leach-Bliley, which includes security requirements for credit unions as determined by the National Credit Union Administration.

"Firms need some [mechanism] for showing that you are assessing any vulnerabilities in your security model that could lead to a breach or compromising member information," says Ken Smith, information security officer, Addison. By monitoring the firm's network perimeter for weaknesses, SecureWorks enables Addison to meet the security requirements.

A Growing Market
"There's increased interest in managed security services because of regulatory compliance," says Allan Carey, program manager, Security Services and Identity Management, IDC, Framingham, Mass. "Organizations are being asked to hold on to network logs, e-mail and other data for specific periods of time depending on the regulation," says Carey. "In addition, they must be able to produce records in a timely fashion if asked by the courts or by their auditors." All this is helping drive demand for managed services, he adds.

For many organizations, it's still very much a manual process to gather data and produce reports to satisfy compliance requirements, according to Carey. Companies are looking to managed security providers for three main reasons: To help automate some of the processes and more efficiently illustrate due diligence; to help proactively identify areas of weakness and remediate prior to an audit; and to be better positioned to conduct incident response and forensic analysis when necessary, he says.