ISS Service Helps Users Comply With Fed Laws

The move comes as security solution providers look to shore up their own sales and marketing messages surrounding complex regulatory legislation such as HIPAA, which sets privacy and disclosure parameters for patient data; the Gramm-Leach-Bliley Act of 1999, which focuses on financial services firms; the Sarbanes-Oxley Act of 2002, a broad series of accounting oversight guidelines; and other regional corporate governance rules.

"We've put checklists together on how customers can become compliant from a security perspective," said Michele Drolet, CEO of Conqwest, a security integrator based in Holliston, Mass.

Offering this expertise takes a tricky combination of high-level engineering expertise along with specialized knowledge of hospitals and financial institutions, Drolet said.

ISS' new service includes a five-step assessment of how a company's existing security products correlate to different government and industry requirements, said Peter Privateer, senior vice president of marketing at the Atlanta-based security vendor.

The company will offer compliance advisers related to the regulations mentioned above, as well as for Supervisory Control and Data Acquisition, which pertains mainly to power plants, oil refineries and other utilities; and for California Senate Bill No. 1386, which requires any company with offices in the state to disclose security breaches.

ISS expects to offer the service on its own as well as with some of its smaller business partners that don't have the staff resources to address these issues themselves, Privateer said.

"Once the problem is identified, it is presumed that the customer is going to want to do something about it," he said.

Robert Cohen, president and CEO of CG Atlantic, a systems integrator based in New York, said corporate governance is definitely a hot button for many of his customers in financial services. However, he expects that many of these companies will rely on both larger systems integrators for related business process advice coupled with the security-specific information CG Atlantic can offer.

HIPAA concerns began driving a significant portion of new business for SonicWall at the end of the summer, said Doug Brockett, vice president of marketing at the Sunnyvale, Calif.-based security vendor. HIPAA compliance is happening across the board among hospitals, clinics and remote medical service centers, he said. "Some of the smaller organizations may even be faster movers," Brockett said.

One way companies can address compliance issues quickly is through security identity management, said Leah MacMillan, vice president of desktop solutions at Addison, Texas-based Entrust.

The vendor, which provides various products for securing access at the desktop, Web portal or Web services level, said solution providers can build successful sales arguments by focusing on deploying solutions that provide accountability when it comes to ensuring data integrity, enable privacy and access controls, and provide some sort of auditing and policy management capabilities.

Entrust's primary customer set lies in government agencies, financial services and health care, MacMillan said.

For example, one longtime Entrust customer is the Southwest Border States Anti-Drug Information System. A particular challenge for the group, which uses Entrust technology for authentication, encryption and digital signatures, was that each of the four states involved had different laws governing how information could be shared. The Entrust technology bridges those laws.