New products aim to streamline compliance efforts

By Ron Condon, U.K. Bureau Chief 22 Sep 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The compliance effort can prove not only expensive, but also very inefficient since most of the regulations have many things in common, and so much work is unnecessarily duplicated.

Now two companies are promising to help organisations gain control of their compliance responsibilities, and save time and money by rationalising their efforts.

Both of the solutions rely on the Unified Compliance Framework (UCF), a service provided by Network Frontiers LLC, which tracks the development of hundreds of global regulations and pulls their requirements together to see where they overlap.

The first product comes from OpenPages Inc., a long-term player in the compliance market. Combining the UCF with its own governance software, the company is launching a reporting and management tool that will work across multiple compliance initiatives, and break down the inefficient siloed approach, according to Gordon Burnes, head of marketing for OpenPages. "UCF tracks more than 400 laws, regulations and guidelines from around the world, and provides a set of 2,500 harmonised controls," he said.

A framework-based compliance program Richard Mackey of SystemExperts explains how to construct a framework that can help you identify your compliance needs.

As well as tracking progress in compliance, he said the system will allow companies to carry out "what if?" modelling of any changes they plan, to see how the changes could affect their compliance position.

The other new offering comes from Lumension Inc. and is based on the compliance and risk management technology it acquired with the purchase of SecurityWorks Inc. last April.

Now rebranded as the Lumension Risk Manager, it is underpinned by the UCF to provide up-to-date information about all relevant regulations. Alan Bentley, head of vulnerability management at Lumension, said the new product enables companies to combine and streamline compliance and IT risk, and to have the ability to manage it in real-time.

Taking feeds from systems under the scope of compliance -- which could be servers, databases, desktops or other devices -- the central monitor maps their state of security against a nominated set of regulations and highlights any areas of non-compliance.

"We are offering an automated repeatable and manageable process that feeds into both risk and compliance, and helps organisations manage their IT risk against their IT systems," Bentley said. "This feeds into their compliance requirements on a daily and weekly basis. It means they can make fine-tuning adjustments throughout the year and then be ready for their audit when it comes around, rather having than a mass panic each time."

While the OpenPages offering is aimed mainly at very large organisations, Lumension is also targeting smaller organisations with 500 to 2000 employees.

"Smaller organisations still have to spend a lot of money managing their one or two requirements -- such as PCI or the Code of Connection, for example," Bentley said. They don't have the skills, so they have to pay a consultant to figure out which parts of their systems and networks are affected by the regulations, and what they need to do about it to be ready for the audit. It can be very onerous for a relatively small organisation."

Mark Nicolett, an analyst with the Gartner Group specialising in governance and compliance, said it is essential to automate and streamline as much of the compliance process as possible. "One of my clients cut 60% off the cost of reporting requirements by doing automation," he said.

By working from a central library of requirements, he said, it is possible to scan systems once and then report back on the various requirements and standards.

He added that there are other several players in the IT GRC (governance, reporting and compliance) management market, including Agiliance Inc., Archer Technologies LLC, BWise Inc., Computer Associates Inc., Information Governance, Modulo, Relational Security Corp., Symantec Corp., Telos Corp. and Trustwave Inc. Many of these companies also license the UCF for their information about the various regulations and standards, Nicolett said.

Tags: Compliance Regulation and Standard Requirements,  IT Security Frameworks and Standards,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds How to choose an external compliance auditor ICO issues draft guidelines for personal information online Using a privacy impact assessment template for DPA compliance PCI DSS checklist: Mistakes and problem areas to avoid IT Security Frameworks and Standards How to develop a culture of security in the enterprise ICO issues draft guidelines for personal information online Using a privacy impact assessment template for DPA compliance Benefits of ISO 27001 and ISO 27002 certification for your enterprise How to write an information security policy The elements of a compliance-oriented architecture A helpful BSI data protection standard for DPA compliance How project management maturity models can reveal security strength Consider a compliance-driven security framework CSA, Jericho Forum unite on cloud computing security message

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary