The Shortcut Guide to Network Compliance and Securityby Don Jones
One of the reasons that compliance management has become such a boom business for consultants is that companies know their existing techniques often arenâ€™t sufficient to meet compliance requirements. Worse, companies often arenâ€™t even sure how regulations such as HIPAA, the Sarbanes-Oxley Act, 21 CFR, and more even apply to their technological assets. Too often, regulation requirements are dumped onto technical professionals for implementation, leaving those professionals confused and frustrated about what they are supposed to do. It doesnâ€™t have to be this way. The Shortcut Guide to Network Compliance and Security offers a few useful tools to make compliance easy and straightforward. This guide will enable your organization to focus on business instead of these mandatory rules.
Chapter 1: Understanding IT Compliance
Compliance has become one of the hottest buzzwords of the information technology (IT) industry. With new legislationâ€”such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, 21 Code of Federal Regulations (CFR), and moreâ€”compliance has become the most important item on many IT professionalsâ€™ to-do lists. Compliance has gained the spotlight and has therefore become a much more recognizable issue at higher levels of management, which means that is it is now being given more attention throughout many organizations. The quest for compliance has launched entire consulting practices, resulted in the development of products, and become the focus of billions of dollarsâ€™ in technology spending. But what is compliance?
This guide explores the underlying meaning of IT compliance, apart from all the hype and publicity. It will explain how the IT industry has been handling compliance for decades, and how new technologies and techniques can help you better handle compliance moving forward. To prove that compliance has always been with us, weâ€™ll focus on an often-overlooked area of ITâ€” the network infrastructure.
Chapter 2: Traditional Compliance Techniques
How do we make sure weâ€™re compliant? Itâ€™s an age-old question in the IT industry. As I mentioned in the previous chapter, compliance simply means obeying a set of rules; IT folks have been trying to obey rules long before legislative bodies such as the United States Congress and the European Union got into the act. Whether youâ€™re trying to comply with rules that relate to security, privacy, operational stability, or governance, knowing how to make your network compliantâ€”and keep it that wayâ€”can be a complex task. In this chapter, weâ€™ll explore the traditional ways in which network administrators and engineers have dealt with compliance, and discuss how those ways helpâ€”and sometimes hinderâ€”the overall compliance effort.
Chapter 3: IT Compliance for Today
One of the reasons that compliance management has become such a boom business for consultants is that companies know their existing techniques often arenâ€™t sufficient to meet compliance requirements. Worse, companies often arenâ€™t even sure how regulationsâ€”such as HIPAA, the Sarbanes-Oxley Act, 21 CFR, and moreâ€”even apply to their technological assets. Too often, regulation requirements are dumped onto technical professionals for implementation, leaving those professionals confused and frustrated about what they are supposed to do. It doesnâ€™t have to be this wayâ€”with the help of a few useful tools, compliance can be easy and straightforward and enable your organization to focus on business instead of these mandatory rules.
Matching Business and IT Compliance
One of the most irritating and frustrating situations for a technical professional is to have a manager dump some new, arbitrary set of rules on them without explaining what they mean or why they must be applied. Yet that is what many managersâ€”themselves confused by how legislation applies to the businessâ€”wind up doing. The result is confusion, frustration, inefficiency, and often poorly implemented compliance. Technical professionals are accustomed to implementing business policies, working with a single set of rules, and translating those rules into technical requirements; you should approach compliance the same way.
Chapter 4: Network Compliance Best Practices and Methodologies
Compliance management at the network infrastructure level can be complicated. Combining difficult-to-understand legal requirements with detailed, complex technologies often results in confusion, frustration, and difficulty. Many organizations do the best job they can, relying on simple point-in-time audits to ensure compliance. These companies are then surprised when their networks are able to quickly go out of compliance, often without anyone taking notice.
As Iâ€™ve discussed in the previous chapters, however, compliance doesnâ€™t have to be complicated. By managing compliance requirements as you would any other type of business policy, and by implementing tools that can automate compliance and configuration management, maintaining a compliant network can be straightforward. Another way to simplify compliance management is to implement best practices and sound methodologies for managing your network, which is what this chapter is all about.