When a company’s board makes a decision to become compliant with regulations such as Sarbanes-Oxley (SOX) in the U.S. or PIPEDA in Canada, it soon falls on the hapless network manager to make it work.
The first step to take with compliance is to actually figure out how compliant a network already is. This often proves to be a difficult step, as many network managers have no idea where to begin or what to look for.
“The biggest demand is for simpler reporting,” said Ross Chevalier, CTO of Novell Canada Inc. in Toronto. “Makers of infrastructure technologies have been capable of doing this kind of (information gathering) work in the past. But what has not been there are pre-formatted reports and architectural constructs that support the production of a simple-to-understand SOX or PIPEDA audit report.”
A SOX audit report should be able to tell a network manager who has access to data, what information in a database has been changed, when information was changed and how it was changed.
A PIPEDA audit report should say what information is available on a network, if critical data is encrypted, what information has been accessed and when changes where made to data.
Chevalier said Novell has begun incorporating ready-made sets of compliance templates into its Nsure Identity Manager product. He added the auditing tool only requires some educating of the network manager to know what kinds of information need to be gathered and then the report can be customized so as to reflect the particular compliance questions for a business. At the same time, the reports have a non-repudiation feature so the report cannot be altered.
If knowing what kinds of information a company has on its network and how vulnerable it is to tampering and alteration is the fist step, the next step is setting policies and putting in place mechanisms to control access to and the safe storage of data. This is most critical in healthcare because of stored patient information.
“We are not allowed to share client/patient information without that person’s permission,” said Roy Southby, director of information technology with the Interior Health Authority (IHA) in Kelowna, B.C. The IHA serves some 690,000 citizens through 183 health sites in the province. “We control very strictly which of our staff can see patient information. For example, the medical staff can see a patient’s medical records, but non-medical staff cannot have access to those records.”
Last year, IHA turned to EMC Corp. in Toronto and its Symmetrix and Centera solutions to consolidate its medical and patient information. EMC helped IHA backup and archive data onto sites located in Kelowna, B.C. and Kamloops, B.C. so IHA complies with the PIPEDA requirements that sensitive information be archived for fast retrieval and prevented from being altered or compromised in any way. The Symmetrix solution allowed for the information from the 183 health sites to be amalgamated while the Centera solution allowed for the automation of data backups and archiving. Southby said what is essential in storing data collected by the EMC systems is the data cannot be altered and an audit trail can be generated to show who had access to data. This is critical since under PIPEDA companies handling sensitive information must ensure data is not tampered with in any way once it is collected and a complete trail of who had access to that data and whether any changes were made to that data can be produced.