Cashing in on compliance

Publisher and politician Steve Forbes once said that “regulations act as a hidden tax, and if we are not careful, they can begin to suffocate small businesses, destroy jobs, and choke off economic growth.”

Strong words from Mr Forbes, but extremely apt considering the glut of IT regulations which businesses are now required to be compliant with, including large degrees of data and security fulfilments.

The dripping tap of compliance which is filling up businesses’ corporate agendas is creating a ripple effect which resellers can cash in on. Where companies need to spend money on IT, resellers should be on hand with the knowledge and capabilities to ensure customers are compliant and resellers’ bank managers are happy.

Highlighting the effect of compliance across the IT landscape, IDC recently unveiled global sales of email archiving applications rose 45 percent in 2006, fuelled partly by the need to satisfy compliance and legal discovery. The research house expects the market to approach US$1.4billion in 2011 at a five-year compound annual growth rate of 23.4 percent.

Despite the growing realisation of compliance, there is still a huge opportunity to educate end-users on what they need to have in place, and then supply the corresponding solution.
Research commissioned by security firm McAfee found that global businesses have reached “compliance breaking point” as they struggle to put the necessary IT security resources in place to comply with ever more stringent legislation.

The study found that by mid 2006, reports of security breaches in the US were numbering between eight and 10 per week. To date, almost 94 million records containing sensitive personal information have been involved in security breaches.

More compounding research comes from a survey carried out by Critical Research for Achiever Business Solutions, a governance and regulatory compliance systems group. It predicted a turf war between traditional IT departments and compliance officers in large organisations as the newly formed internal regulatory watchdogs attract budgets and resources once devoted to IT.

“Monies that would previously have fallen under IT executives’ control are diverted into these new compliance divisions, with decisions about the compliance systems chosen and the platforms used falling outside existing IT policies,” said Robert Dent, chief executive at Achiever Business Solutions. “This could lead to tensions as boundaries are redefined and room at the top is made for the new kids on the corporate block.”

Another ControlPath Compliance Progress Survey found most corporations are not reaching acceptable levels of compliance, even as they spend more to implement multiple compliance mandates. The survey also found that 72 percent of large corporations lack confidence that they are complying with all applicable regulations. In addition, the cost of compliance is clearly on the minds of senior management – when ranking the most challenging aspect of compliance, the cost to manage compliance was the clear winner, cited more than all other issues combined (51 percent).

According to an Oracle Applications Users Group survey, despite years of effort and millions of dollars of investment, nearly 61 percent of companies have not yet completed implementation of their Sarbanes-Oxley compliance processes.

The mentioned research papers drive home the point that compliance may be on some corporate agendas, but many businesses are finding it difficult to implement a suitable compliance structure. Enter the trusted reseller who had a customer base of firms all asking: What do I need to be compliant with?

Which compliances matter?

Compliance is a minefield of different regulations and laws, and it can be difficult to decipher what is relevant to the Australian market and the channel’s customer base. It is hard to highlight every piece of compliance which will affect resellers’ customers, however certain laws emerge as particular prevalent:

Data privacy

In the US there are stringent data privacy laws which firms are expected to adhere to, and if The Australian Law Reform Commission (ALRC) has its way, similar regulations will be enforced on local shores.

Last month, the ALRC released a blueprint with 301 proposals for overhauling Australia’s “complex and costly privacy laws and practices”. On releasing Discussion Paper 72, Review of Australian Privacy Law, David Weisbrot, president of the ALRC said it was the product of the largest public consultation process in ALRC history.

“We have received more than 300 submissions and held more than 170 meetings to date, including with business, consumers, young people, health officials, technology experts and privacy advocates and regulators,” said Weisbrot.

“The clearest message from the community is that we must streamline our unnecessarily complex system. The federal Privacy Act sets out different principles for private organisations and for government agencies. On top of that, each state and territory has its own privacy laws or guidelines and some also have separate laws on health privacy.”

Weisbrot said the ALRC is proposing there be a single set of privacy principles for information-handling across all sectors, and all levels of government. This will make it easier and less expensive for organisations to comply, and much simpler for people to understand their rights, he claimed.

“The protection of personal information stored or processed overseas, as is now routine, is another serious concern,” added Weisbrot. “The ALRC wants to ensure that such information has at least the same level of protection as is provided domestically. We propose that a government agency or company that transfers personal information overseas without consent should remain accountable for any breach of privacy that occurs as a result of the transfer.”

Privacy commissioner Karen Curtis was quick to welcome the release of the Discussion Paper as part of its review of privacy law in Australia. “The ALRC review is an important process for ensuring that Australians continue to receive a high level of privacy protection in coming years,” she said.

Curtis said her office will be assessing the 1983-page Discussion Paper to see the extent to which it addresses the issues the office raised in its submissions to the ALRC, and will be commenting on any new issues and proposals that have been raised.

Payment Card Industry Data Security Standard

PCI DSS was developed by the major credit card companies as a guideline to help organisations that process card payments prevent credit card fraud, hacking and various other security issues. It affects any company processing, storing, or transmitting credit card numbers as they must be PCI DSS-compliant or they risk losing the ability to process credit card payments.

“PCI is being pushed down by the US credit card vendors who have created six governing principles and 12 solution areas,” said Carl Terrantroy, director of technology go-to-market initiatives at Oracle. “Concerning PCI, resellers should be able to look at their customer base and see which ones do credit card transactions and then approach them to have a conversation around PCI.”

Sarbanes-Oxley Act

Enforced in 2002, Sarbanes-Oxley is a US act formed in response to a number of major corporate and accounting scandals. The legislation establishes new or enhanced standards for all US public company boards, management and public accounting firms.

“Sarbanes-Oxley is US-based and was huge four years ago, but has died down slightly. It affects US companies, organisations that transact with US companies, and subsidiaries,” said Terrantroy.

Basel II

The aim of Basel II is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face.

It has rigorous risk and capital management requirements designed to make sure that a bank holds capital reserves appropriate to the risk the bank exposes itself to through its lending and investment practices. The rules ensure that the higher risk to which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard its solvency and overall economic stability.

ISO 17799

The aim of ISO 17799 is to provide “a comprehensive set of controls comprising best practices in information security”. It attempts to be an internationally recognised generic information security standard. The ISO 17799 standard comprises of 10 prime sections: Security Policy, System Access Control, Computer and Operations Management, System Development and Maintenance, Physical and Environmental Security, Compliance, Personnel Security, Security Organisation, Asset Classification and Control, and Business Continuity Management (BCM).

AS 3806

The AS 3806 standard is enforced across Australia and sets out guidelines for establishing, implementing and managing an effective compliance program within an organisation.

While AS 3806 outlines a program that is intended to achieve compliance with the law, it may also be used more widely to assist a firm in complying with codes of practice and organisational standards.

Standards Australia has recently published the updated version of the Australian Standard on Compliance Program AS 3806. The new version of the standard reflects developments in compliance management since the original version was launched in 1998.

HIPPA

The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by healthcare providers who engage in certain electronic transactions, health plans, and healthcare clearinghouses.

The Department of Health and Human Services (HHS) has issued the regulation, “Standards for Privacy of Individually Identifiable Health Information,” applicable to entities covered by HIPAA. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation.

Gramm-Leach-Bliley Act

The aim of the GLB Act is to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. The Act gives authority to eight federal agencies to administer and enforce the Financial Privacy Rule and the Safeguards Rule. Consumers have the right to limit some – but not all – sharing of their information.

The IT industry stance

The list of regulations goes on and the IT industry is alive with the opportunity which compliance creates. Last year SAP acquired Virsa Systems, a privately held developer of compliance and risk management tools that tie into SAP and Microsoft applications. IBM bolstered its security policy compliance portfolio by acquiring Consul, a privately held Netherlands-based firm. Consul makes auditing software for tracking compliance behaviour and sending alerts when users violate a company’s security policy.

One vendor which is investing heavily in developing business round compliance is database giant Oracle. In May the firm released Audit Vault, which it claimed enables channel partners to help businesses monitor compliance with government and industry regulations.

The Audit Vault software is used for collecting, managing and analysing regulatory compliance data and identifying potential security risks and financial liabilities. The new software is part of Oracle’s governance, risk and compliance product line.

“From Oracle’s view, government risk and compliance reliance has come to the forefront as an area we are focusing on,” said Oracle’s Terrantroy. “Organisations need to look at managing risks more proactively. As complexity grows, people are looking at how they can meet compliance mandates.”

Terrantroy said Australia does not have the hefty laws that the US has. No one in the US has gone to jail for not complying with Sarbanes-Oxley.

“Privacy is being pushed to the forefront and this is not just applying to the government, but across all organisations. Over the past two years there have been at least 10 publicised breaches. The difference is these organisations would have got off lightly compared to the US,” he said.

Terrantroy underlined fraud detection and Web 2.0 as two other main drivers behind compliance. “With Web 2.0 with these are so many entry points to an organisation and you need to look at how you can secure those web services.”

David Dzienciol, director of enterprise partners at security vendor Symantec, said: “Customers have to deal with IT compliance, but this is not new. It is an ongoing challenge and it requires more automation so organisations can reduce costs and inefficiencies.

“In the US in California they have some very serious privacy acts, which have not been enforced over here yet, but if we look at the US we can predict that compliance levels will continue.”

Dzienciol said the problem is that many customers have to manage multiple regulations, these could either be internal, from the government or other bodies.

“We are finding the channel plays a critical role in ensuring organisations are compliant and we feel our partners are best positioned to fill that trusted advisor role,” added Dzienciol.

Chris Thomas, solutions architect in security at CA, said: “We keep an eye on compliance changes and resellers need to keep up-to-date and position themselves as trusted advisors with the right solutions and knowledge.

“For a long time there was a national privacy principal, but that was somewhat of a toothless tiger and it didn’t have a massive compliance effect.”

Thomas stressed the importance of end-users knowing about the compliances which affect them, with the same applying to resellers focusing on specific industries.
Mihai Rusescu, regional operations manager at Bitdefender, said: “Regulatory compliance guidelines have been defining and sculpting the security market for a number of years.

“Recent attacks and well-reported incidents of data loss have had a profound effect upon the industry at large, encouraging stronger guidelines which has, in turn, driven the demand for more effective solutions,” he said.

Rusescu highlighted standards such as Australia’s AS 3806 and Sarbannes-Oxley in the US as significant in offering best practices which protect both customers and the organisation itself.

“Larger enterprise organisations have led the way in implementing circumspect risk management solutions that protect the company from internal as well as externally-initiated leakage. These solutions are costly, difficult to deploy, and unwieldy for all but the largest corporations,” said Rusescu. “However, the need is the same regardless of business size – all companies want to protect themselves and their customers.”

Rusescu said that as these growing companies begin to develop security policies and procedures to meet this challenge, they may find themselves at a disadvantage since they often lack the resources to deploy a deep compliance strategy.

“Small and medium businesses in particular are loath to shoulder the burden of compliance, as the resources they have are better employed elsewhere,” said Rusescu.

The reseller opportunity

Vendors know the importance of their channel and this is particularly true when it comes to interaction with the end-user. There is an opportunity for channel partners in the compliance landscape, and vendors are making sure resellers are aware of such prospects.

“It is hard to find, especially in the corporate area, networks which are not using at this time some sort of web security software,” continued Rusescu. “As a result, resellers are either doing renewals, usually at a lower price value than the initial sale, or trying to persuade the end-user to change the security product, thus a longer sales cycle but potentially more rewarding from a financial compensation standpoint.”

Rusescu said with the new regulations coming into place, he believes a whole new initial market is being created, with only a few corporations which are already complying with the new laws and regulations.

“To sustain this hypothesis, one of the recent articles that I have read was describing how a network penetration test performed by non-IT students with free tools available on the Internet and deployed on 200 of Australia’s largest enterprises has actually succeeded in 79 percent of cases to actually penetrate the “attacked” networks. More than half of those 21 percent which resisted the penetration attack were using freeware IDS-like tools, and remember we are talking about 200 largest enterprises in Australia.”

Rusescu said resellers can benefit from an initial market that will unfold in front of their eyes with additional joys that are coming together with a law enforcement: strong and quick demand created in the market, shorter sales cycles and bigger benefits per account sold.

“Resellers, as vendors alike, have to be ready to fill in the gaps in the market, to support and even certify the compliance with the new standards set by the law,” added Rusescu.
Terrantroy at Oracle said: “Resellers are always after the next big thing and the largest market opportunity. We hear about customers being told they need to be compliant and they in turn approach their reseller and ask.”

Dzienciol at Symantec, said: “We enable our partners on a pre-sales perspective and enable them on information in industry fraud and information on our solutions.

“Compliance is a very wide area to be focused on. We feel the opportunity is there to provide different types of services and to build services around policies and that relationship is not only on the security side, but on the data and storage side, too.

Bringing together all of these areas is the opportunity for the channel.” Dzienciol added that moving forward channel partners will play a critical role in the future development of IT governance.

Brian Brannigan, managing director of Sydney-based reseller Agreon, said: “What is being legislated in the US is being transferred to Australia as best practices being enforced over here.

“The recommendations being supplied by auditors are now being deemed as something to address, where before a blind eye was being turned.”

Brannigan said there is wide-scale focus from vendors on compliance solutions, but delivery of these solutions is the opportunity for resellers. “For system integrators this is music to our ears and resellers will benefit from the cascade of awareness around compliance,” added Brannigan.

Know your customers’ needs

A number of compliance issues often face the finance and banking vertical, which is a point worth noting for resellers keen to cash in on compliance regulations.

There is also a tendency for compliance to mainly effect larger end-users, who are also the main firms who choose to employ wide-scale compliance set-ups.

However, compliance is not restricted just to larger fiscal organisations, and the best way for resellers to profit from compliance is by going back to their customer base and casting an eye over their end-user demographic. The easiest customer to win is the one you already have. With that in mind, if resellers know what their customers need to be compliant with, then they can be on hand to advise and implement the solution needed.

For further details on compliance, register free for CRN’s Storage Compliance and Disaster Recovery web seminar on the 14th November. Avnet and IBM will tell you all about the latest technology as well as how you can leverage Sales, Marketing and Technical programs that will ensure that you are your customer’s best reference when it comes to storage solutions.

To register for free click here.