Showing results for 
Search instead for 
Did you mean: 
Create Post

Compliance - is it still a four letter word?

Level 12

Last week we hosted a webcast entitled "Achieving and Maintaining Federal Compliance". For those of you that are new to this subject, compliance management or policy management is the process of ensuring that your IT department is complying to the rules and standards that have either been mandated to them by a governing authority or by the management team within your own organization. It can be as simple as verifying that all of your outside interfaces have specific access control lists (ACLs) applied to them or that all of your users' passwords are of a certain strength. However, it can also be quite complex and involve a mixture of technical details like these and procedural details around how you document and mitigate identified security incidents and ensure effective log management.

The focus of this webcast was to educate people on best practices for managing compliance requirements within US federal government organizations. While the focus of the event was centered around federal government requirements like FISMA, NIST, DISA Stigs, and HIPAA many of these same practices can be applied to HIPAA within non-federal organizations and toward complying with non-federal government issues like SOX and PCI.

You can watch the recorded version here or download the slides here.

What I liked about this webcast is that we were able to show that "compliance" is no longer one of those dirty, four letter words to be avoided by all costs by geeks like me. Sure, in the old days compliance usually meant days of manual effort to product reports for people that wouldn't really understand them. Those reports would be out of date the minute that they were produced and the data provided by the reviewers never seemed to actually provide any value. Nowadays though, things are different. Most tools today - like our Network Configuration Manager (NCM) and SIEM tool Log and Event Manager make managing compliance requirements and policy management easy and pain free. Additionally, these applications allow you to do compliance management on the fly, in real-time which dramatically improves the effectiveness of the process as a whole.

Do you have to manage compliance requirements in your organization? If so, we'd love to hear from you. Post a comment and tell us some of the issues that you face and how you're currently dealing with them.

Flame on...
Follow me on Twitter

Level 11

Does anyone know where I can get access to this webinar? i followed the link and it said webinar not available.

Level 9

LEM is clearly going to be a great way to deal with auditors.  Check this fun (and short) video about dealing with auditors out

LEM is the way to give them the information they need so you can pass the audit

Level 11

Just as an FYI.  Speaking of compliance issues your slideshow on slideshare will be blocked by all DOD networks as a file sharing service.  I am sure it is good information but can not access it because of DOD proxy guidelines on websites


LEM is useful for part of the audit.

I am in the middle of a SOX audit now... 

Have to show the monitoring is in place for specific things, have to show the automation wrapped around the monitoring events as well as the logged events.

HIPAA is my industry's compliance master, but we follow SOX and other guidelines that are not strictly "compliance" solutions as well (e.g.:  IEEE, BICSI, NEC, etc.).




I'm in the middle of DSS audits this week!  So it's line by line going through STIG after STIG after STIG!

Level 11

STIGs are the best.  Almost 20 years I have been contracting with the gov and running STIGs since Windows 2000 STIGs were a paper checklist.  Too much fun.  compliance apps are the bomb but many systems still have to be checked manually - DNS still has a lot of manual tasks...

Level 12

Option 4 seems to be my favorite!!!!

Some say his security implementations are developed in secured and isolated Lunar facilities, and that his helmet's facemask is darkened to obscure his facial tics.

Some say his shoes contain superconducting nano-bots, and that he puts Ketchup on every variety of hot meat.

Some say the NSA has a standing request for his contracted services at any price, and that he has been given three resilient trans-Atlantic 100 Gb fiber paths from his garage to Washington DC.

Some say his body heat powers an internal backup power brick that inductively supports all his personal communication technology, and that it operates a personal stealth shield that prevents him from being tracked by satellite technology.

Some say he has eleven wisdom teeth that were never removed, and that he prefers orange juice to milk on his breakfast cereal.

Some say he has an indefinite contract requiring him to put 363 dimples in every golf ball, and that he nearly removed his helmet for the first time when he observed a dog riding a duck.

Some say he drives a custom British Leyland that is simultaneously an amphibious vehicle, a double-decker bus, and a half-track, and that he keeps his offspring in a vestigial pouch.

All I know is we call him The Stig!



Just the word compliance makes most of us stiffen our backs, cross our arms and retreat to childhood with a rebellious attitude. But therein lies a key - attitude. If you can change things do so, but if you can't change things why let the "rules" upset you. Yes they can be a pain, expensive, time consuming, redundant, etc. etc. But at the end of the day our chosen profession puts us in the position of providing services to our customers at the best possible level that we can. In most cases there is someone above us that has the take the actual "case" to those that hold the purse strings. (sorry if you are a purse string holder - we complain about you, but we also know you have a difficult job to do). It's up to us to do the best we can, make the best recommendations and live with the decisions that they have made. Part of our recommendations needs to clearly outline the risks and benefits as sometimes taking the risk is the better option for leadership, but let them make that decision.

I don't like having to comply with regulations from the "outside" but if you read most of them with an open mind you'll find the mostly they intend to make things better, not just more cumbersome.

(There are exceptions to all of this)