|
(click here to view actual article)
March 24,
2005 -
Thou
Shalt Not Do Business Carelessly: Managing Compliance
Standards
By Benedict
Campbell
Question: What are the biggest compliance concerns
in the markets that your company addresses?
Campbell: Compliance is necessary, regardless of
size of an organization. Health care privacy applies to
small doctor offices and large hospital groups.
Education privacy applies to small private schools and
to major universities. Government privacy applies to
municipal branch government offices and up to the
federal government. Small and mid-sized businesses
accepting credit cards on an Internet Web site must
protect customer account information the same as large
financial concerns. Smaller organizations have not been
able to acquire security solutions that either secure or
report simply because they did not have the financial
resources to acquire the technology or the technical
resources to support the deployment of the technology.
Dependency on the Internet, whether by e-mail or for
data access, requires all organizations be concerned
with threats, managing their user population to minimize
possible IT use behavior impacts on compliance, and the
ability to report system use of a server or a user's
device.
Question:
Privacyware's products relate to the security of hosts.
How are compliance issues involved?
Campbell: Organizations must not only protect
information. They must document their security practices
to demonstrate compliance with best practices for IT
security. Privacyware's solutions meet the security
piece related to hosts, involving protection, integrity
and reporting. The technology works by training itself
to create a baseline profile of the network in various
states to determine what happens under normal
conditions. It determines what different users do, the
resources they typically request, what types of files
they transfer, and so on. All those routine events are
then grouped into clusters that represent normal
activity. For example, it may be sensible to define
models that focus on different sorts of users, such as
administrators, marketing employees, and anonymous end
users. For each type of user, the engine will determine
which events are considered normal and group them into a
cluster. The goal is not to determine an exact profile
of what any given type of user does but rather to
establish patterns. This analysis satisfies some of the
needs for regulatory compliance documentation, such as
Sarbanes-Oxley. Compliance is complex but a lot of it
comes down to having to report what has happened on the
network and whether or not it is acceptable. At the end
of day, if you're doing business on the Internet, you
must comply with the commandment, "Thou shalt not do
business carelessly."
Question: What is
your assessment of the market for these types of
products?
Campbell: We think it is wide open. Enterprises
still need intrusion detection and prevention but
complete security means starting at the host and moving
to the perimeter or the other way around. We're seeing a
lot of schools buying our product because they recognize
what it can do and that it doesn't cost a lot of money.
Hospitals are coming on board for the same reasons, in
their case, for the protection of billing information
for insurance claims. Municipal governments are also
just as seriously impacted from a resource perspective.
They don't have in-house expertise and they need to add
security without killing themselves.
|
