As if running a storage shop in an SMB these days isn't tough enough, there's growing industry and government regulation that really puts some teeth into "compliance" as we know it. In the past year alone, we've seen a lot of new ground covered in the area of IT governance. For instance:
- The state of Nevada requires all payment card-accepting businesses to comply with PCI Data Security Standard (PCI DSS).
- The state of Massachusetts's 201 CMR 17.00 requires a comprehensive information security program to protect its citizens' personal information.
- Obama's recent government expansion bill contained the "HITECH Act" which expands HIPAA compliance requirements to healthcare industry business associates.
- More states have created their own breach notification laws -- only six states are without them, a direct impact on storage security.
Looking at the PCI Data Security Standard, you'll see it has at least a half-dozen items that directly affect storage security. PCI DSS and HIPAA are industry regulations intended to enhance the security of sensitive credit card information. The Gramm-Leach-Bliley Act Safeguards Rule, although more high-level, also affects storage. As for the Sarbanes Oxley Act (SOX), many SMBs aren't affected by its far-reaching claws. But given their market capitalization, or the fact that they're private businesses, some are affected, and SOX Section 404 has a direct impact on these businesses. SOX Section 404 requires every covered entity to maintain comprehensive controls surrounding their financial reporting systems. The storage involvement becomes obvious when you think about the complexities of the average business's financial systems, especially when it comes to information classification and retention.
Even widely-accepted information security frameworks that many SMBs try to align themselves with, such as the ISO/IEC 27002:2005contain several storage-related components such as policies, asset management, access controls, information classification, physical security of media in transit and so on.
So what should an SMB make of all this? Well, you can't simply bury your head in the sand and pretend compliance doesn't affect your business, because it does. Management could attempt to write this off as an acceptable risk (like many do). Or they could invest in cyber insurance coverage that provides coverage for certain security shortcomings and subsequent data breaches. Cyber insurance was the darling savior that was supposed to be the catch-all to make up for the lack of due diligence and business responsibility, but it never seemed to evolve into the simple fix many business managers were hoping for.
The reality is you're going to have to tackle this compliance beast once and for all, but it doesn't have to be complicated. The formula is simple: put the right person in charge of compliance (i.e., someone who equally understands the operational and technical sides of security and privacy), figure out what laws and regulations affect your business, determine what sensitive information you store and where it's located, and then put some basic documentation, technical controls and processes in place to ensure things are safe and secure.
Simply focusing on the basics of information security will buy you 90% of what you need. Furthermore, you won't have to spend a ton on locking everything down with fancy technologies some vendors are pushing. Easily 80% of the controls you need are already at your disposal built right into your operating systems, applications and appliances.
Several SMB clients have attempted this and succeeded. But this is not a $75,000 investment in a six-month project. Even if your budget is tight and your staff expertise is limited, it can be done in a few weeks, and is relatively inexpensive.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books "Hacking For Dummies" and "Hacking Wireless Networks For Dummies" (Wiley). He's also the creator of the "Security On Wheels" information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
