Compliance is a moving target, especially when it comes to Sarbanes-Oxley and personal data protection. Technologies change, companies grow, systems evolve and compliance programs must take these changes into account to remain effective. It is important to remember that it is not the design of the compliance program that counts, but its ability to meet its overall goal, whether it’s accuracy in financial reporting or protection of customers’ personal information.
Too often, managers implement fixed initiatives and auditors work from static checklists. Every information security program aimed at compliance must be continually updated to reflect changes in how we use technology. Already we have seen popular technologies putting compliance programs at risk since they are not being adequately addressed. While many IT administrators may be aware of the threats, they tend to fall well below the radar of higher level compliance officers – until after a problem is discovered. Some examples of overlooked technologies include remote access programs, advancements in internet chat programs and the continuing use of peer-to-peer applications.
Remote Access Programs
Remote access programs offer a remote connection from a user's office computer to their home or personal PC or laptop with many specifically designed to break up data transfers in such a way as to bypass corporate firewalls. They often cloak user activity, which can make forensic detection of abuses very difficult. Of even greater concern, some of these programs even allow users to permit others to have access to their office PC remotely. While these applications clearly put critical data and the security of office networks at risk, many organizations have no policy prohibiting or monitoring the use of remote access programs.
Internet chat programs, or instant messaging (IM) applications, are frequently pointed to as an information security concern. Yet, their effect on compliance is too often overlooked. While many of us view IM as a simple way to communicate in short text, its actual capabilities go far beyond simple conversation. Most troubling for compliance officers are the advancing file transfer capabilities of IM programs. The ability to transfer files over internet chat programs both allows for the unauthorized dissemination of confidential information and opens networks up to infections from spyware and other malicious code as users download files that have not gone through the corporate security system. While the majority of corporations are well aware of the threats that e-mail file transfers pose and are actively working to address their exposure, IM is often overlooked as a source of confidential data leakage.
Peer-to-Peer (P2P) networking is an Internet phenomenon that is not likely to go away anytime soon. When one site is shut down for piracy, ten more seem to emerge. And internet users are becoming more creative in the ways they use P2P applications. That these programs would make it onto corporate networks is not a surprise. P2P applications not only threaten compliance because of their ability to be used for unauthorized file transfers or the illegal distribution of copyrighted material, but they also place any data on as office PC running the applications at risk of exposure.
For many corporations, the answer to their compliance dilemmas may be banning the use of emerging technologies that put their programs at risk. Yet, for others, these new technologies may hold the key to future innovations that will greatly advance their business goals. Regardless of your organization's approach, turning a blind eye to the effect of emerging technologies on your compliance programs is the mistake that must be avoided. For every major security threat we acknowledge in the mainstream today, there is one organization that has the unwanted pleasure of being the example of the damage that threat can incur. If you want to avoid being that unfortunate example, then your compliance program must be flexible enough to address both the threats you know today and the ones that will emerge tomorrow.
John McNulty is president, chairman and CEO of Secure Computing Corporation.He is a member of the Board of Directors of the Cyber Security Industry Alliance.