Last week we hosted a webcast entitled "Achieving and Maintaining Federal Compliance". For those of you that are new to this subject, compliance management or policy management is the process of ensuring that your IT department is complying to the rules and standards that have either been mandated to them by a governing authority or by the management team within your own organization. It can be as simple as verifying that all of your outside interfaces have specific access control lists (ACLs) applied to them or that all of your users' passwords are of a certain strength. However, it can also be quite complex and involve a mixture of technical details like these and procedural details around how you document and mitigate identified security incidents and ensure effective log management.
The focus of this webcast was to educate people on best practices for managing compliance requirements within US federal government organizations. While the focus of the event was centered around federal government requirements like FISMA, NIST, DISA Stigs, and HIPAA many of these same practices can be applied to HIPAA within non-federal organizations and toward complying with non-federal government issues like SOX and PCI.
What I liked about this webcast is that we were able to show that "compliance" is no longer one of those dirty, four letter words to be avoided by all costs by geeks like me. Sure, in the old days compliance usually meant days of manual effort to product reports for people that wouldn't really understand them. Those reports would be out of date the minute that they were produced and the data provided by the reviewers never seemed to actually provide any value. Nowadays though, things are different. Most tools today - like our Network Configuration Manager (NCM) and SIEM tool Log and Event Manager make managing compliance requirements and policy management easy and pain free. Additionally, these applications allow you to do compliance management on the fly, in real-time which dramatically improves the effectiveness of the process as a whole.
Do you have to manage compliance requirements in your organization? If so, we'd love to hear from you. Post a comment and tell us some of the issues that you face and how you're currently dealing with them.