Carol discusses how compliance requirements are not going away and, in fact, are increasing for some organizations.
Why am I talking about compliance? Compliance—in my opinion—is a tired term that was horribly over-used a few years ago. Every issue that security officers wanted to be resolved was somehow categorized as a “compliance requirement,” and every ad from all vendors—security-related or not—proclaimed the virtues of how their product solved your compliance woes.
The reason I’m bringing up the topic of compliance now is because the Trump administration has promised to reduce regulations. My fear is that everyone who resisted the compliance requirements stemming from regulations such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry’s Data Security Standard (PCI DSS) will assume that they’re going away. While I may be wrong, I don’t believe that’s the case.
I’m asserting this for several reasons. First, if you listen to the discussions of repealing legislation that’s restricting business growth, it centers around Dodd-Frank. I have heard no mention of SOX being repealed. What about HIPAA? Won’t that go away if the Affordable Health Act is repealed? Again, the answer is no. The requirements to properly secure healthcare data (aka HIPAA) were around long before the Affordable Healthcare legislation was passed. One has nothing to do with the other. As for PCI DSS, that’s not a government requirement. PCI DSS comes from the PCI Council, which is independent of all governments. So there’s no “repealing” PCI DSS.
Benefits of Compliance Requirements
While I realize that implementation can be painful and time-consuming, I choose to look at the positives of these requirements. And I believe there are numerous benefits to compliance requirements. Here are just a few:
- Laws such as SOX have brought about the requirement for separation of duties and the requirement that all processes that feed into financial information must be known and reliable so that the financial information is known to be accurate. In the IBM i world, SOX required the implementation of source control and a formal promotion process. No longer can the same developer write code and then promote their own code. While the developer may not appreciate this, it’s an appropriate separation of duties. Also, it’s brought about more role-based access. The same person cannot create a new accounts payable entry and also approve or sign checks for that account, removing the temptation to create false accounts and commit fraud.
- HIPAA as well as the PCI DSS have requirements for securing data. Even with these, we see reports almost daily of databases that have been breached and data that’s been stolen. If such losses can occur with these requirements in place, imagine the loss of data that would occur without the safeguards in place that stem from these laws and regulations!
- One of the most useful benefits is that those individuals implementing the requirements become more aware of what’s happening——
The Downside of Compliance
All is not perfect in Compliance-land, and I do understand that there are painful aspects of compliance. These include:
- Too many audits! We have clients—many in the financial industry—that suffer through multiple audits a month. That’s overkill to be sure.
- The details are lost. I’ve seen compliance requirements, especially from the aspect of what’s reported on, that are “normalized” across multiple operating systems. When that happens, many of the details that should be examined are lost. For example, you may be required to show that all users have to change their passwords every 90 days. But the auditor only looks at the QPWDEXPITV (password expiration interval) system value and totally neglects the fact that the password expiration interval can be overridden in the user profile. I’ve seen cases where the system value has been set to 90 (days) but all profiles on the system have been set to password expiration interval *NOMAX, meaning that users never have to change their passwords!
- Compliance is treated as a one-time event. Meeting compliance requirements doesn’t do an organization much good when they are only in compliance once a year—at the time of the audit. I’ve said for years that compliance must be a “lifestyle”—not a one-time event. That’s why the PCI DSS was updated a couple of years ago to include the requirement of having to prove to auditors that you are regularly checking the compliance requirements (i.e., perpetual compliance) so that security is “business as usual” and not just addressed at the time of the audit.
More Compliance Requirements Coming
With the exception of the PCI DSS, this discussion has been centered around compliance requirements specific to the U.S. As we expand our view, we must recognize that there’s more—not less-—regulation coming, especially if you work for an organization with employees in the European Union. The General Data Protection Regulation (GDPR) has far-reaching requirements to protect individuals’ privacy and access to their private information. GDPR replaces the EU Data Protection Directive, and because it’s a “regulation” rather than a “directive,” it’s a law, not merely a strong suggestion left up to interpretation by all of the EU member states. Its intent, according to Wikipedia, is to “give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.” GDPR comes with requirements for securing private data, requirements for breach notification, penalties for non-compliance, etc. I’ve heard some refer to GDPR as “PCI on steroids.” GDPR was adopted by the European Parliament on April 14, 2016, and goes into effect May 25, 2018. I’ll be writing about GDPR and what it means to the IBM i community in a future article.
You may be thinking that, now that Donald Trump has been sworn in, things will go back to the “good ol’ days” prior to SOX and the plethora of compliance requirements that have rocked your world over time. Perhaps you’ve stopped running or reviewing your compliance reports in anticipation of this. Or perhaps you’re assuming that your organization’s compliance department will “go away.” While these wishes may come true in your dreams, they are just that: dreams. So I encourage you to embrace the benefits of compliance requirements and once again, make compliance part of your IT lifestyle.