Eight Tips on an Information Management Strategy for Regulatory Compliance
1. Know what compliance laws/regulations apply to your company. Legal departments, chief financial officers and/or chief information officers should know what compliance laws and regulations apply. These may include Health Insurance Portability and Protection Act (HIPPA), Sarbanes-Oxley (SOX), Gramm-Leach Bliley Act GLBA), Health Information Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI), Federal Rules of Civil Procedure (FRCP), Federal Information Security Management Act (FISMA), the Patriot Act, and/or regulations from agencies such as the SEC, NASD and NYSE.
2. Know what data has to be protected. Each regulation identifies what type of data has to be protected. In some cases only data identified as sensitive or private is affected, so not every department or PC may require the same degree of data control and security.
3. Conduct a full Risk Assessment. This can be done internally, or through an outside security consultant, to identify vulnerabilities that will impact the organization’s ability to meet requirements for information management and compliance. In conjunction with the Risk Assessment, you need to conduct an enterprise-wide Data Assessment to identify and locate where sensitive data resides, how much is there and what the data is. You cannot secure your data until you know where it is. Identify the Data Flow. Once you have identified where the data is, you need to document the data flow. In all work environments, there is an “official flow” and an “unofficial flow.” How people go about getting their jobs done doesn’t necessarily conform to who is on the organizational charts, or what is written in company policies. Data flow factors include who creates the data and has access to it; when the data is created, stored, accessed, and disposed of; where the data resides, both at rest and where it goes when in motion; how business processes and workflows use the data; and why the data was needed, is currently needed, or will be needed in the future.
4. Design, budget, schedule, and implement the network security architecture. The network security plan will be based on the risk and data assessment, data flow, and any applicable policies, both internally defined company policies and externally defined regulatory policies. Basic ideas are available from sources such as the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) as well as the individual regulatory acts. Forklift upgrades will likely require the approval of senior management and possibly affected department heads, and the timeline for implementation may need to be adjusted accordingly.
5. Use tools for discovery/search/archive/hold/alert/audit. A good information management system is needed to meet requirements for discovery retention, search/ediscovery, and disposal of sensitive information. It should include tools that proactively identify documents containing sensitive information anywhere on the network, including the desktops, and “hold” capabilities to prevent disposal schedules from removing critical information if litigation is pending. It should also provide automatic alerts when data is somewhere it’s not supposed to be, and can run data audits and detailed reports on the data status if required by law and for the auditors.
6. Use tools for backup/disaster recovery. A Rock-solid information management system does not eliminate the need for backup and recovery. The archiving capabilities in the information management system will show a history of the files, where they existed, when they existed and who created/changed them. Backup systems do not do this but they are necessary to enable the recovery of lost, corrupted, or damaged files and can provide bare metal restores of desktops, servers and data bases. You really should have both a backup/disaster recovery and information management system.
7. Document/Monitor/Test. Create and update the Security Policy Document for the compliance regulations. Auditors first look to see if you have a security policy document covering the compliance rules. They are looking to see if you are following what you have written down. Say what you do in the document and then do what you say. First time the auditor finds a process not in the policy document, you are in for a long audit. You will always have to monitor and test your secure network. Networks, and the people connected in the network, are dynamic and are always creating change. Not to mention the bad guys outside your network. Invest in some good vulnerability tools and consider contracting out for a security service to do an external and internal security audit at least twice a year.
8. Finally, train the people who handle the sensitive data on the security policies. This is another area an auditor will look at-do the people handing the data know what the rules are!