The positive side of regulatory compliance

When I was working at MCI WorldCom - now Verizon - at the end of 2004, talking to yet another auditor about controls, I did not think that I would ever be looking back with nostalgia.

When I was working at MCI WorldCom - now Verizon - at the end of 2004, talking to yet another auditor about controls, I did not think that I would ever be looking back with nostalgia.

After working with one group of auditors as we were going into and coming out of Chapter 11 bankruptcy, we then had another group of auditors to work with as we prepared for a Sarbanes Oxley (Sox) audit, then another group of auditors as we had the actual Sox auditor.

Each group of auditors came in with little or no idea of the processes and policies we had to cover in the various areas of information security we spent several hours with each new group explaining how we did things and why.

But although this all took an immense amount of time, and explaining things with several different auditors over six months was tedious, nevertheless there was a development that I found useful, hence my nostalgia now.

There were several new initiatives that I was trying to introduce to complement our processes for removing access for leavers these initiatives revolved around getting administrators to add a list of their users to a database and getting the human resources department to include the database in their leavers process.

What I was trying to get was an automated process whereby a leaver's notification would be matched against a user name on the database and the relevant administrator advised by e-mail that one of the users on his application may be leaving.

A relatively simple process, and by the time I left the organisation a large number of applications formed part of the database, but that was some years after I first started pushing the concept of the database.

Although everyone thought that any steps to reduce leavers still having access to our systems were worth taking, actually getting administrators to take part and add their user lists to the database floundered, not on any security concerns but on budget. Unless I had budget for their time - I did not - they would not put in the time.

And then along came Sarbanes Oxley, and I returned to the administrators. What a change. Now, at the mere mention that the leavers process formed part of the work towards Sox, the administrators provided the required user lists.

I am now working in the charity sector, which does not have a driver such as Sox. However you much you explain and supply backing material, trying to promote improvements in information security as "industry best practice" just does not cut it.

Just at the beginning of this year, though, I found my driver - the Payment Card Industry Data Security Standard for those organisations processing debit and credit card payments, and it worked just as well as Sox does. Being able to say "this is what is needed, this is why, this is what will happen if we do not comply" concentrates the mind.

Since PCI is an ongoing standard, our processes need to encompass not just existing methods of handling debit and credit card details, but also future projects that may manage these details. PCI impacts on project management and developers.

Having worked in regulated and less regulated areas, I find from experience that having a regulatory or legislative driver achieves much more than mere "best practice".

Brian Shorten, CISSP, is BCP risk and security manager with Cancer Research UK

Read more on IT risk management