The best data security offense is a good defense ~ zztech

Computerworld - It was like finding a needle in a haystack. On her first day as security and risk manager at the Pennsylvania Department of Public Welfare, Pamela Skelton was met with piles of disorganized compliance files and random pieces of paper that her predecessor had left behind.

When she was told that an IRS audit report was due in a few months, a mild panic set in. "I saw all this paper and said, 'Where is everything?' It was very disorganized. I could never find anything that I needed," she recalls. That was just the start of a risk compliance odyssey for Skelton and her team.

The Department of Public Welfare must safeguard the financial and medical data of its 2.7 million participants. Yet with more than 4,000 federal and state regulatory requirements and policies to comply with, trying to gather and review data and take corrective action in response to myriad audits became nearly impossible.

To continue reading, register here to become an Insider

It's FREE to join

By 2010, record keeping had gotten so murky that the department's annual security review had fallen by the wayside. "We had not given a response back to the IRS in years," says Clifton Van Scyoc, the department's chief information security officer. Other required audits had fallen behind, too, he adds.

While there are no official penalties associated with a lack of response, the missed deadlines pointed to a harsh reality: "We do not have the most secure environment if we are not actively reviewing this information and creating responses to them. They aren't even able to appropriately define where our [security] gaps are if we aren't making these responses," says Van Scyoc.

That same year, the department began building an ambitious security risk framework that would capture all of the controls it had to comply with and drop them into an Excel spreadsheet. Then a team analyzed the individual requirements in each control and decided which one was the most stringent and then used that one control to cover all similar requirements. As a result, some 4,000 individual regulatory requirements were rationalized into 350 unique integrated requirements.

Three full-time staffers spent seven months pulling together all the controls and putting them into the spreadsheet. Van Scyoc says the file eventually reached an "astronomical" size, so he added a governance, risk and compliance (GRC) tool from RSA Archer, which gave the department "one electronic version of all of our controls down to the individual level," as well as historical records and the ability to perform timely audits and develop corrective action plans.

"We now have an improved focus on what [audits] are still outstanding and are able to more proactively manage and monitor getting those completed on time," says James Weaver, deputy CIO for the Department of Public Welfare.

The size and complexity of the department's task impressed one industry analyst. "For a state agency of this size, it's a huge undertaking and probably a gigantic investment for them," says Renee Murphy, a security and risk management analyst at Forrester Research. "It also speaks volumes about them -- that they were willing to take it that seriously and go to that length to solve the problem."

The department's road to an IT risk management system wasn't an easy one, given the complex interweavings of regulations to deal with and the fact that new requirements are added monthly. But those staffers who were involved in the process say there were many aha moments and newly discovered benefits along the way.

Thursday, November 14, 2013