Consumer Security

The Art of Data Management Compliance, Part 3: Executing Processes

Data management rules and regulations have become a major concern for businesses, due in large part to increasing oversight that often requires organizations to invest in new technologies in order to address compliance issues.

However, the promise of enterprise technologies as a solution to the demands of data management compliance will go unmet absent a context of sound policy and strategic planning.

Part 1 of this three-part series discusses the major challenges associated with the extensive web of rules and regulations affecting data management. Part 2 discusses current security threats and outlines how companies can safeguard their networks against them.

Post-Compliance Paradigm

“The biggest challenge for managing data is that data and processes are ‘invisible’ — they’re not things you can see and hold and move around in a way that you viscerally know you are managing them,” Gwen Thomas, president of the Data Governance Institute (DGI), told the E-Commerce Times. “And so, we have to respond to this challenge by adopting frameworks to help us organize how we think and communicate about these complicated or ambiguous concepts. If we do this, we have a way of making the invisible more visible.”

Organizations can address the majority of compliance requirements by updating their work processes using the “Post-Compliance Paradigm,” developed by DGI. The paradigm asserts that, in a compliance environment, work is not complete until a company first does it, controls and documents it, and then proves compliance. That effort begins with company managers, for whom compliance is job one.

“It is the fiduciary responsibility of corporate management to stand behind and prove that their electronic records accurately reflect the course of business they are on, and that they are honest and ethical custodians of sensitive information,” said Surety CEO Tom Klaff. “Broad and transparent integration of data-level controls can detect and deter data manipulation, either by outsiders or — more likely — by trusted members of the organization.”

Solutions such as electronic signatures answer the “who” question associated with electronic records, Klaff told the E-Commerce Times. “But answering the ‘when’ question is critical in proving that electronic records have not been altered. It’s an irrefutable way of verifying the origin, authenticity, authorship and creation date of electronic data without disclosing the actual contents of that data.”

Compliance efforts are by their nature overlays onto existing business processes, so it’s critical that organizations become compliant without disrupting the business, said Mark Kraynak, senior director of strategic marketing for Imperva.

“They’ve got an alphabet soup of similar but slightly different regulations coming at them,” he noted. “The solution is to have a single process and an integrated technical solution that can cost-effectively meet multiple regulatory demands for data privacy and data integrity.”

Kraynak advises addressing the full scope and full life cycle of application data security. “Many companies only address the data aspect of compliance and have a visibility blind spot when users access and use this data via applications,” he told the E-Commerce Times.

Companies should take a comprehensive enterprise approach to data protection, proposes Derek Tumulak, SafeNet’s vice president of product management.

“Regulators and auditors don’t care about the technical challenges of dealing with this issue, and most have never even heard the term ‘connection pooling’ … they just need to know who viewed or changed data,” he noted.

Technical Solutions

That said, once a company develops a strategy and puts policies and procedures in place, technology can be implemented.

Companies should make an investment in a highly secure hardware appliance for the data center that can be leveraged across a wide range of environments for protecting information, Tumulak suggested. “This includes applications, databases, file servers, IBM mainframes and point-of-sale environments,” he told the E-Commerce Times.

Secerno’s approach “puts up the stoplight before the accident occurs,” according to Sam Paone, sales vice president at the database security company. In Secerno’s concept of “differential auditing,” auditors focus on changes to the systems and environment and are not required to review the entirety of activity in order to perform focused audits.

The presentation of collected data is very important, noted Express Metrix CEO Kris Barker. “Information must be made available in formats that provide solutions to real business problems like regulatory compliance and data security,” he told the E-Commerce Times.

To assist companies in meeting mandates, Compliance Coach offers a product called “CompliancePal,” software that provides identity theft detection and response procedures.

To fight identity theft, Voltage Security offers a cryptographic solution called “Format-Preserving Encryption” (FPE) to protect structured data such as credit card numbers, bank account numbers, Social Security numbers and so forth within databases and as the data is used by applications. For example, FPE enables an encrypted 16-digit credit card number to remain 16 digits, according to the company’s vice president, Wasim Ahmad.

“So while it still looks like a credit card number, it’s not the actual number — and best of all, databases and applications don’t need to be changed or modified,” Ahmad explained to the E-Commerce Times. “Other approaches result in large blocks of encrypted data that force you to spend serious time with modifications. Furthermore, this new approach focuses on protecting the data wherever it goes, like reports, backups, applications and databases. So, even if criminals are able to breach a company’s defenses and get access to its data, they won’t be able to compromise customer identities.”

Compliance Automation Tools

One of the major challenges for companies, especially small to medium-sized firms, is the availability of resources that can be directed toward compliance, said MyComplianceOffice’s Timothy Kennedy.

“As a consequence, many companies are looking to automation to help accurately and effectively manage compliance in a rapidly changing regulatory environment,” he told the E-Commerce Times. “When an audit does occur, the ability to quickly provide regulators with accurate, up-to-date data demonstrates the firm’s commitment to establishing a culture of compliance.”

Five “R’s” — role, responsibility, routing, reporting and response — underpin compliance management, Robert D. Kugel, vice president and research director at Ventana Research, told the E-Commerce Times.

“Full-featured compliance process automation tools should do four things,” Kugel said. “One, help the company define the ‘5 R’s’ of compliance management processes. Two, automate the execution of the processes. Three, perform all tests to ensure that the system is working. And four, generate all necessary documentation.”

ComplyAssistant markets ComplyAssistant Office Suite (COS), a dashboard tool that automates regulatory compliance and the management of multiple compliance rules in a single database. COS is designed to run on a company intranet or via the Internet.

Each compliance rule is a “plug-in” to COS. Predefined content in the COS rules library include OIG (Office of Inspector General) Federal Healthcare Compliance, HIPAA (Health Insurance Portability and Accountability Act of 1996) privacy and security, SOX 440 (Sarbanes-Oxley Act of 2002), JCAHO (Joint Commission on Accreditation of Healthcare Organizations), FISMA (Federal Information Security Management Act), FIPS (Federal Information Processing Standards) and GLBA (Gramm-Leach-Bliley Act of 1999).

The ControlPath Compliance Suite from ControlPath is designed for compliance and enterprise risk management purposes. The suite automates the compliance process so that organizations can leverage their efforts across multiple regulations (SOX, GLBA, HIPAA, Payment Card Industry and FISMA), security standards such as ISO17799, and internal policies and standards.

Master Data Management Software

Then there’s enterprise application software. The incipient business opportunity presented by data management and compliance has not escaped the notice of mega software giants like IBM, Oracle and SAP, which hope to ride to a lucrative rescue in the form of the little known but nonetheless expanding multibillion dollar master data management (MDM) hub market within the IT industry.

The worldwide MDM market was US$1.1 billion in 2006 and forecast to grow to $6.7 billion by 2010, according to a 2007 report by Forrester Research. The report noted that, of 2006 revenues, about one-third went to software licenses, a figure that includes customer data integration (CDI) and product information management (PIM) systems.

“During 2008, MDM solutions from IBM, Oracle, SAP and Teradata will monopolize majority market share in the G5000 enterprise,” said Aaron Zornes, founder and chief research officer for the MDM Institute, a research firm covering enterprise IT issues. “Meanwhile, mid-market solutions will arrive from Microsoft, Nimaya and Oracle, plus data quality vendors Pitney Bowes Group 1 Software, SAS/DataFlux and Trillium.”

By 2012, Zornes predicted, the market for enterprise MDM solutions (software and services) as both strategic initiatives and to refresh aging legacy MDM capabilities will exceed $3 billion.

Though major software companies like IBM and Oracle offer MDM products, there’s no single complete MDM technology product yet on the market, according to the Forrester 2007 report. No single vendor technology package exists today that can effectively manage all data domains, including customer, supplier and product, noted Rob Karel, the study’s author and a principal Forrester analyst.

“[MDM] is not an application, it’s a capability and it has a lot of moving parts,” Karel noted. “If [organizations] implement technology first, it’s usually going to be expensive, but under-delivering on expectations.”

Fortunately for companies forced to deal with the combined pressures of confronting both crime and regulation, there is outside help available. They can subscribe to the Department of Homeland Security’s National Cyber Alert System to receive free alerts on new threats and learn how to better protect their areas of cyberspace. Also, the U.S. Small Business Administration’s Business.gov site provides a single point of access to government services and information that help businesses comply with government regulations.

The Art of Data Management Compliance, Part 1: Keeping Pace

The Art of Data Management Compliance, Part 2: Guarding Against Theft

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Ned Madden
More in Consumer Security

E-Commerce Times Channels