Achieving Compliance: Rules & Tools

IT executives find themselves at the epicenter of compliance efforts.

“One is what we call an external penetration test,” says president and owner Carl Boecher. “We probe for vulnerabilities, and then based on what vulnerabilities we see, we know what can be done by a hacker. We put all that information in a report and send it to the client, and then the client is expected to take whatever action is necessary to correct those particular issues.”

Another type of testing is internal vulnerability testing, where a scanner is installed inside the client’s firewall to assess vulnerabilities. The testing helps institutions come into compliance with the Gramm-Leach-Bliley Act—which requires a financial institution to safeguard its information—and all its related objectives. All the best practices related to Gramm-Leach-Bliley are published in a 150-page document called the “Information Security IT Examination Handbook.”

“Examiners from different regulatory agencies, will go through and check these things,” Boecher says. “So typically, prior to an examination, a bank will have compliance tests performed. Then they’ll take the report that’s generated and show the examiner that they have in fact been tested, and that they’ve been found to be compliant or noncompliant. If they are found to be noncompliant, they will then show their remediation plans, and/or how they have actually fixed these particular vulnerabilities that we have found.”

In a large organization that is subject to a wide variety of regulations, the overall compliance process can be divided into five basic steps:

• Documentation of all the rules the organization must follow—not just the top-level regulations, but also all the day-to-day policies and controls that enable the business to successfully comply.

• Approval of all those policies and controls by managers and executives.

• Publication of the policies, controls, and procedures across the organization. Typically, this means distributing the policies to both employees and vendors, usually via the Internet.

• Compliance testing.

• Resolution of compliance problems.

“On top of that, most companies now want to have a reporting mechanism that shows them that progress is being made in all these five steps,” Borman says. “If you have groups that don’t respond to a certification or a test or respond back saying ‘I’m not following these policies or procedures,’ they need to get resolved. So you need a way to keep track of that. Where are we? [Executives] want to be able to see monthly or weekly or quarterly results in those five areas.”