March 15, 2006

The 5 Rules of the Regulatory Process

If you work in enterprise IT security, regulatory compliance is probably nothing new to you. There is a good chance you hate the thought of it, but you are intimately aware of the challenges and expensive nature your business has had to go through to meet compliance objectives.

But if you are a small business, Iíll bet itís a fearful phrase you typically try to avoid. Or worse yet, a phrase that you donít believe applies to you! Donít worry. You are not alone. But Iíd like to challenge your thinking and belief system as it relates to regulatory compliance and small business. I believe that if anything, small businesses should realize that the process of creating an environment for regulatory compliance is not that difficult and can be used as an ASSET to the business; an advantage over many competitors that offers real business benefits to your company.

Look, when it comes to this topic, the biggest challenge businesses of all sizes face is in ensuring that regulatory compliance objectives are observed and that compliance can be demonstrated and accurately monitored and reported. Whatís interesting is that, against what many security vendors are trying to sell you, this can be done with a lot of what you already have by stepping back and using a Ďhigher security mind-setí. In other words, you donít HAVE to outlay huge investments in unnecessary security safeguards if you think more clearly about the objectives you need to reach. By applying appropriate technical safeguards for enforcing compliance to meet required corporate security and audit policies, small businesses can greatly facilitate the demonstration of controls that enhance the integrity and auditability of their IT systems.

Quite frankly, the process of regulatory compliance is a business problem, not a technical one. Or more to the point, regulatory compliance is a processÖ not a product.

A few years ago, I started talking about and introduced to my readers the 8 Rules of Information Security that greatly increases the effectiveness of security controls. I wish I could take credit for the original thinking of those rules, but it was something I really learned from Kevin Day. Today though, I would like to introduce similar thinking to how small business can approach regulatory compliance. Borrowing from how Kevin approached information security, I would like to approach regulatory compliance in a similar manner. What it comes down to is 5 Rules of the Regulatory Process.

  1. Rule of Information Protection - Limit access to information to only those people and resources that absolutely need it. When possible limit access to the information resource to trusted sources only. Use the Rule of Least Privilege from the 8 Rules of Information Security along side of the Rule of Trust to ensure that this rule can be respected. Some examples of technical safeguards that can assist in meeting this ruleís objectives include using the operating systemís access control system (ACLs, perms etc), file/folder/disk encryption and network access control (firewalls, authentication, etc).
  2. Rule of Information Integrity - The ability to ensure information is accurate and an unchanged representation of the original secured information is critical to regulatory compliance. Once you have applied safeguards to ensure information resources are only accessible to those people that absolutely need it, it is critical that you can demonstrate who DOES access those resources, and what changes they may cause to the information. Without it, there is no way to ensure the integrity of the original information, and any acceptable changes that may occur. Some examples of technical safeguards that can assist in meeting this ruleís objectives include backups, document version control and audit logging (ie: Auditing controls in Group Policy).
  3. Rule of Information Availability - It is important to ensure that information resources are readily accessible to authorized personnel at all times. With the growing needs of remote mobile users to access this information, this has to be done so in a responsible manner that can ensure that it can be done so safely and securely. At the same time, while offering availability it is crucial that the rules of Information Protection and Information Integrity be respected. By following these rules, businesses do not sacrifice security to gain access to information assets. Some examples of technical safeguards that can assist in meeting this ruleís objectives include Virtual Private Networking (VPN) and both online and offline document rights management.
  4. Rule of Information Retention - One of the key aspects of many of the regulatory compliance standards is that information must be retained for a given period of time, and guaranteed to be able to be reproduced in its original form as required. Small businesses need to retain certain information, like contracts and financial records, in order to operate their business and to ensure that they are operating in conformity with provincial, state and federal laws. When the Rule of Information Integrity is applied, this rule helps protect the business against allegations that information was destroyed in an effort to avoid liability. A good information retention policy also allows businesses to benefit from being able to easily retrieve older and archived information that is not readily accessible in day to day operations. Some examples of technical safeguards that can assist in meeting this ruleís objectives include backups, email retention and archiving and document version control.
  5. Rule of Risk Management - Without information assets, there are no threats to which risk can be applied. In other words, if an adversary has no interest or objective to go after, there may be very little risk. As an example, an attacker probably doesnít care much about your companyís MP3 share. But they might care about your shared Contract library. Without cataloging information assets to understand what needs to be protected, there is no way to evaluate what is at risk. Risk management does not have to be overly complex or require significant change to business processes to understand and evaluate. It comes down to looking constructively at what information is important to the business, and assessing what risks may be exposed to those assets. And this assessment process is always ongoing and regularly evaluated. As they say, to be forewarned is to be forearmed. Some examples of technical safeguards that can assist in meeting this ruleís objectives include the usage of risk assessment tools such as MSAT and MBSA, following a regular patch management process and receiving relevant guidance and expertise from responsible vendors.

Now I know these rules may seem over-simplistic. If we focus on what the expected outcomes are though, we actually begin to see this come together. Some outcomes would include:

  • Accountability
  • Auditability
  • Privacy
  • Data integrity

Interesting. Now lets look at some of the existing regulatory compliance standards:

  • Financial Governance Ė Sarbanes Oxley (SOX)
  • Health services Ė HIPAA
  • Banking Ė Gramm-Leach-Bliley (GLBA)
  • Privacy Ė SB1386/AB1950

You know what? What is interesting about those standards is that their compliance objectives echo the outcomes we can achieve with those 5 rules. In other words, we can meet the original challenge of ensuring that regulatory compliance objectives are observed and that compliance can be demonstrated and accurately monitored and reported. By applying these 5 rules, small businesses can greatly facilitate the demonstration of controls that enhance the integrity and auditability of their IT systems. And that is the goal we are after.

Now you might be asking how this can directly benefit your small business as an asset and not a liability. Well, look at some of the business benefits that can be reached if you apply some of the technical safeguards to meet the objectives of the 5 Rules of the Regulatory Process:

  • You can have a more effective backup strategy that can help in disaster recovery and business contingency planning.
  • You can have a more effective information retention strategy to recover information and offer auditability and accountability to those agencies that may need it.
  • You can have a more effective and secure remote access strategy that can help extend and enhance user productivity through better information access.
  • You can reduce business risk to information assets while understanding the real impact of technical safeguards against those risks. This will allow you to make more intelligent business decisions and reduce total expenditures on unnecessary security safeguards that will do little but interrupt your business workflow.

These have a direct impact to your business and your IT infrastructure. For many small businesses, these strategies will offer unprecedented protection to information assets and offer your business ways to get more out of your IT investment while saving money and reducing risk. What more can you ask for?

Technology will fail. People will fail. If you apply these 5 rules you will be able to recover from those failures and significantly reduce the impact those failures may have on your business. And in my book, that is more important than fretting that you canít afford to put such policies and procedures into play in your IT infrastructure. Or worse yet, that you donít think such safeguards are good for your business. They absolutely areÖ and are within reach.

Update: If you would like to see how I apply these rules in my own small business you can read about how I do it here with the use of SBS 2003.

Posted by SilverStr at March 15, 2006 10:52 AM | TrackBack
Comments

I just finished your WebCast as part of the Microsoft Small Business Summit today and I have to tell you that this is one of the best webcasts I have seen. Your ramblings, as you put it, really delivered what you saw as valuable in the five rules and how there is a valuable self-interest for small businesses in adhering to them in a way that is integrated in how the business operates. Thanks.

Posted by: orcmid at March 16, 2006 01:38 PM

Thanks! I'm glad that you found the webcast insightful. And I do hope you will consider applying the rules to your own business.

Good luck!

Posted by: Dana Epp at March 16, 2006 02:35 PM