Regulatory “Alphabet Soup”
A slew of new legislations and standards have emerged in the aftermath of the Enron, WorldCom and other debacles as governments impose measures designed to prevent future collapses. Those with the most far-reaching consequences include the following :
- Sarbanes Oxley (SOX): a broad set of regulations and procedural mandates applicable to all companies trading on American stock exchanges.
- Basel II / ITIL / BS 15000: directives regarding quality IT Service Management applicable to all European financial institutions.
- Gramm-Leach-Bliley Act: regulations designed to protect the privacy of personal financial information held by financial institutions such as banks, securities firms, insurance companies, and purveyors of consumer-oriented financial products and services.
- FDA: the U.S. Federal Drug Administration has ratcheted up the IT control procedures that must be followed by pharmaceutical companies in order to achieve and maintain FDA approval for products
- HIPAA: seeks to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. The Act mandates standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual.
- E911: regulations regarding emergency location identification in an era of VoIP telephony.
Sarbanes Oxley: the New Bane of Corporate IT
For the IT departments of numerous corporations, the most onerous of all the new regulations is the Sarbanes-Oxley Act of 2002 (SOX). This comprehensive legislation was designed by the Securities and Exchange Commission (SEC) to protect shareholders and the general public from a company’s accounting errors and fraudulent practices. A major outgrowth of SOX’s mandate to improve corporate transparency and accountability has been far-reaching directives requiring a new level of information system documentation and much more stringent security and access control.
In fact, SOX laws allow corporations – as well as their owners and managers — to be held liable for the unauthorized disclosure of private information – even inadvertent. As such, businesses now recognize the risk associated network security breaches and are earmarking budgets for investment in security projects involving access control, authentication, and preservation of audit information.
The execution of these projects is falling on the shoulders of the IT department, who must find and implement cost effective solutions for SOX compliance – while continuing with all ongoing activities.
The Biggest Problems: Documentation and Audit Trails
Much of the literature regarding IT compliance with SOX, Basel II, ITIL and other regulations has concentrated on attaining reliability, replicability and auditability of data. However, the security, control and documentation of the network’s underlying infrastructure, or the physical layer, are of equal concern to the regulations, with breeches carrying equal importance.
The Standard Operating Procedures (SOPs) required mandate new approaches to the management of network changes and configuration, and the integration and centralization of access control. Comprehensive documentation is required to perform correlated audits regarding who had access to information at what time, together with when and why access models were changed.
Within the FDA guidelines, for instance, it is clearly stated that SOPs should be established for, but not limited to:
- System Setup/Installation
- Data Collection and Handling
- System Maintenance
- Data Backup, Recovery, and Contingency Plans
- Change Control
All these procedures have to be planned, implemented and audited– and each of the separate stages also has to be documented. The vast documentation implied by these directives begins at the time of network and procedural planning, and continues through implementation and operation.
Clear, accessible documentation must provide an accurate picture of the network’s entire physical layer, including a description of all computerized systems and the relationship of hardware, software, and the physical environment.
In addition, a clear audit trail must be provided regarding all provisions, MACs (Move, Add or Change), maintenance work orders, and upgrade. With a policy of positive control, the IT staff must be able to positively guarantee that no unauthorized equipment is connected to the network, and that no information can possibly leak out of the organization.
Intelligent Infrastructure Management Solution: automating compliance at the physical layer. Although originally designed over a decade ago before these legislations came into existence, the Intelligent Infrastructure Management Solution offers IT and infrastructure managers the ability to take control of their entire wired network infrastructure, automatically monitoring all mission critical connections and networked devices throughout all Enterprise premises and locations for connection, provisioning, maintenance and connection-based security.
The ability of the system to document all activities translates into a huge time-saver for overworked Network personnel who are busy enough planning and implementing, even with the assistance of the system, to leave time to adequately document all the network activity.
Intelligent Infrastructure Management Solution offers the following key benefits to assist in compliance with legislation:
- Managed system deployment and provisioning
- Physical Layer Work Orders, Reports and Forensics Documenting infrastructure maintenance, performance, and asset management.
- Change and configuration management
- Audit trail Ability to automatically document not only the implementation but also the planning of work orders, MACs etc.
- Ensure Network Infrastructure Reliability Intelligent Infrastructure Management Solution provides real-time location-based information for pinpointing connectivity failures and disconnected devices (including servers, workstations, printers, IP phones and others) and LED guided troubleshooting to reduce mean-time-to-repair. The additional ability to distinguish between authorized and unauthorized disconnections further strengthens the usefulness of this solution.
- Enhanced Connection-Based Security Compliance Monitoring and tracking on-site users by connection, to safeguard connections and secure network presence, identify illegal devices and protect property against tampering.
- Centralized and Remote Control of Enterprise Wide Connections Managing an unlimited number of connections across premises, global sites and remote branch offices.
- Reduce IT Costs through automated Moves Adds and Changes For remote provisioning and deployment of connectivity and networked devices across premises.
- Disaster recovery
- Change & configuration management
PV4E’s unique end-to-end system tracks network connectivity from the Terminal Equipment (PC’s, telephones, IP phone, printers, etc.) through the Physical Connectivity Component (patch panels and cables) to the Network Equipment (LAN switches, PBXs, Hubs, etc.).
Work Order Module
Each task is assigned to a technician and a completion date for the task is determined. Technicians take ownership and perform their assigned tasks. Once tasks are completed the database is automatically updated, eliminating the need for manual data entry. From Work Order initiation to Work Order completion, the status of a Work Order or of an assigned task can be monitored.
P-LET discovers all active devices on the network and maps them with their location and link information. Information about the Station is collected during the discovery process, which includes the IP address, MAC address, Host Name and Service type. All this information is then entered into the database automatically and is available to the network administrator in a graphical representation.