McAfee Security Insights

McAfee Security Insights

The Practical Guide to Compliance

Financial services companies today must take advantage of security technologies and secure content management products to help them gain and maintain compliance with current regulations like the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and Gramm-Leach-Bliley Act (GLBA). Financial services firms such as investment firms, retail and commercial banks and insurance providers – or even companies that provide services such as hosting to the financial services industry – must comply with these regulations.

Each regulation addresses a different issue and has its own basic requirements for compliance; however, the regulations don’t explicitly tell financial services organizations exactly what to do to achieve compliance.

The CIA Triangle

Current regulations focus on different areas of the “CIA triangle”— confidentiality, integrity and availability. For instance, the Sarbanes-Oxley legislation that was passed by the United States Congress in 2002 holds company CEOs and CFOs personally responsible for the accuracy of their financial reports.

“Sarbanes-Oxley is all about integrity, making sure financial reports are complete and accurate, or at least making sure the controls that produce those are accurate,” says Peter Schawacker, McAfee Security Evangelist.

On the other hand, the Gramm-Leach-Bliley Act, signed into law in 1999, regulates what financial services firms can do with the confidential personal information that they collect as part of their investment advisory activities. “This covers confidentiality, because companies are supposed to make sure that there’s a wall between M&A and brokerage areas, for instance,” Schawacker points out.

HIPAA, which was passed in 1996 and focuses on the protection of patient data, covers all three points of the CIA triangle. HIPPA is particularly pertinent to insurance providers and other companies that process patients’ medical records. “The privacy piece is what everyone likes to talk about, but there are also integrity and availability portions as well,” Schawacker notes. “For instance, it’s essential to prevent medication mix-ups, and it’s also essential that someone going into emergency surgery can get all of his charts.”

It’s not just health care providers and insurance companies that are affected by HIPAA. In fact, the legislation requires that any company that handles patient information must comply with the HIPAA privacy rule. This includes employers that provide health care benefits to employees as well as financial institutions that may be acting as transaction clearinghouses, converting non-traditional transactions into standard transactions and vice versa, for instance.

Build Good Security First, Check Compliance Later

Many financial services firms have been taking steps toward regulatory compliance for a long time even before the laws were enacted. The more mature organizations have taken the approach of building a good security program first and then checking for compliance later, says Schawacker. “The regulations are simply telling people to do what they should have been doing for years, and that’s why financial services firms have a pretty easy time complying.”

The laws are vague in terms of what companies need to do to actually achieve compliance. “The reason that some regulations are as vague as they are is because they have to apply to so many different kinds of organizations,” Schawacker says. “HIPAA and GLBA are more specific because they each address a vertical market. The more specific the industry, the more specific the requirements will be. For the most part, organizations simply need to show due diligence in their efforts and abide by the spirit of the act.”

While current regulations are disparate in terms of their purposes and compliance requirements, they do have one thing in common: Companies that seek to comply with these regulations have an undeniable need for secure systems.

What a company should focus on—in any industry— is to make sure it has a good set of security controls in place to begin with, and then all it has to do with audit-focused regulations like Sarbanes-Oxley and GLBA is to document those controls. HIPAA is another story, because it is not an audit-oriented compliance problem. It requires companies to operationalize their security.

Whatever companies decide to do to achieve and maintain compliance, they need to be able to justify their efforts through documentation, reliable reporting and a good audit trail of content. “It’s really documentation, documentation, documentation,” Schawacker points out, “and that can take the form of archiving messages, reporting on usage, and being able to generate some kind of documentation on the status of the configuration of controls in a moment’s notice.”

Companies should also develop risk management strategies so that they are prioritizing their resources to focus on the greatest threats to their businesses. Security teams can measure risk by looking at the value of the information assets, its vulnerability and by assessing the real threat to the asset itself.

It’s really a case of showing that you’ve made the best efforts toward compliance, explains Mark Harris, McAfee’s Director of Engineering. “McAfee ® ePolicy Orchestrator ® (ePO™ ) can show coverage reports to make sure everyone is up to date. The System Compliance Profiler (SCP), which is an integral part of ePO, can look at the latest versions of the patches installed,” he says. “Again, it’s a case of being able to prove that you’re making best efforts to keep your machines and control room in compliance and producing the data to prove that.”

Part of compliance, Harris adds, is traceability and being able to monitor what is and isn’t being communicated. “We have the secure content messaging product line. All products share some common functionality that can look inside e-mail messages, attachments, Word documents and spreadsheets, and pull out text and search for key words,” Harris points out.

“You can set up rules that will either block that information going out of an organization, or you can log any email that goes out with key words or phrases in either the e-mail message or attachment,” Harris explains. “You can do that for an entire organization or for key individuals within the firm.”

Schawacker adds that any technology that can produce comprehensive configuration reports is going to help financial services companies achieve greater levels of accountability, transparency and measurability, all key to compliance. “In each of the regulations, you’ll have to have some sort of asset matrix that you’ll need to put together, and rogue system protection—which is part of ePO—is great for that,” he says.

Another McAfee offering, McAfee® Foundstone® Enterprise vulnerability management solution, also is valuable to financial services firms’ regulatory compliance efforts. The enterprise-class security solution, designed to manage and mitigate business risks associated with digital vulnerabilities, works to protect network infrastructure through asset discovery, inventory and prioritization, threat intelligence and correlation and remediation tracking and reporting. The Foundstone Enterprise Threat Correlation Module lets customers track progress against specific threats over time, allowing them to ensure that they’re meeting internal and regulatory compliance policies.

Since this article was written, McAfee has introduced new products that offer similar capabilities. Please see our products section for additional information.

Learn More (US)

Learn how McAfee Foundstone Enterprise vulnerability management solutions can help you achieve compliance.