The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/116777
Compliance is a growing concern in large and small organizations, and the investment needed to satisfy compliance requirements has increased as well. Recent breaches have been well publicized and have often exposed weaknesses in traditional compliance strategies. Violations of newer legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act (SOX), can result in large fines and even criminal prosecution. A key issue with the data explosion happening now is we don't have a handle on all the data out there. This creates blind spots where risk can creep in unchecked. Parceling data into slices for security, IT and compliance to review creates silos between areas of knowledge. The blind spots remain despite our efforts to drink from the big data fire hose. PLAY BY THE RULES Compliance can be simply thought of as making sure we play by the rules, whatever they may be. The rules can come from internal policies, client mandates and external laws and regulations. For example, a law firm may have a client that is a health care provider subject to laws governing electronic protected health information (ePHI). As their service provider, the law firm may be subject to mandates on how this client's data are handled. Compliance should be one part of an organization's approach to security. Governance, risk management and compliance (GRC) really comprise a life cycle of identifying and understanding risk, creating rules and mechanisms for controlling risk, and checking to make sure we are putting the controls into action. REACTIONARY DATA COMPLIANCE "Big data" is the idea that data sets are growing so large and complex that the current strategies for collecting, managing and analyzing information are breaking down. As a result, computing systems are growing more massive in order to cope with the load. The trend of data growth is only expected to increase as more sources of data are created. Policies, laws and mandates rarely tell us in IT terminology what needs to be done to achieve compliance. Because of this, compliance is typically an afterthought and comes as a result of a failed audit or risk assessment. Typically, IT responds to compliance requirements with one of the following: • Enforce more IT security controls, such as intrusion prevention systems, firewalls and data loss prevention systems • Implement a log management solution or a full security information and event management (SIEM) solution • Purchase a set of canned compliance reports 58 Peer to Peer • Do whatever the auditors recommend as a solution verbatim, without understanding how this affects the organization However, compliance is not a single product or a one-time reaction to a deadline or mandate. Compliance should be a process driven by the firm's internal framework of governance and risk management. Security controls are a way to manage risk and often help the organization achieve compliance through automating procedures, protecting information and recording evidence. EASIER DATA MONITORING The idea of a platform that collects events from IT systems (intrusion detection, firewall, router, server and database logs) and correlates the information with a set of higher-level rules — such as the Federal Information Security Management Act (FISMA), HIPAA, PCI and SOX — is called an IT GRC or enterprise GRC system. The purpose of these platforms is to automate the job of collecting information and reporting on the organization's compliance posture. These systems are used by the internal compliance analysts and auditors. Historically, systems like this have relied on a large amount of manual effort. While helping to achieve compliance goals, these systems have not been efficient and further lacked the scalability needed to tackle big data. The biggest challenge for an IT GRC system is shifting from a reactive to a proactive response. Firms often create policies and standards after a security incident or failed audit. It is not easy to translate GRC requirements into a set of searches, reports or automated checks. Making the transition from reactive to proactive requires a system that can make the translation and makes routine monitoring of the organization's comprehensive compliance posture easy. Traditional systems for log management or SIEM have had difficulty working with massive amounts of data. They have also grown in size and complexity to manage the growing volume, velocity and variety of data. Some key challenges are: • Collecting data from a variety of sources in a timely manner • Correlating data from multiple sources in a timely manner without using massive computing platforms • Parsing and correlating unstructured data • Maintaining security, integrity and chain-of-custody of logs Just as firms use business intelligence to analyze customer data for behavioral patterns, compliance analysts need a solution that can digest vast amounts of IT data to find risk patterns.