Compliance is a difficult task for everyone. Compliance experts agree that the term “compliance,” with respect to technology, was born in a grey area; it is almost never black or white. Windows 7 makes HIPPA, Sarbanes-Oxley, PCI, and other compliance initiatives significantly easier with better security, better control over access to information, and improvements in the ability to prove that you’ve done what you’re supposed to be doing.
According to Jack Gold of J. Gold & Associates, a Boston-based technology consulting firm, the regulatory controls to which an organization is subject depends on the business type, the nature of its customers and partners, and the manner in which it functions. Many third party software, hardware, and services products address a multitude of compliance or regulatory-related issues. However, for many mid-size and large organizations, compliance begins with the operating systems and products installed on a given network. In addition, every organization needs a customized program, updated regularly, designed to meet their specific needs. Gold believes, “Compliance is never one thing. It is many things.”
To understand specific examples of Windows 7 product enhancements which address regulatory and compliance initiatives, it is essential to take a step back and review the basics. It is critical for an organization’s management to determine what type of compliance and security programs are mandated for their business.
Several factors are inherent in all compliance programs, such as specific security protocols, authentication, log management, device management, and encryption of files. These security measures also are demonstrable evidence of a compliance initiative. Windows 7 offers significant enhancements in security, authentication, encryption, logging, and device management, to name a few OS benefits that impact business’ compliance requirements. Operating systems (including Windows 7) are not designed specifically with compliance and auditing in mind, although some features can be highlighted and implemented as a part of an organization’s overall program.
While Microsoft’s OS does not offer a complete compliance or security solution, says Charlotte Dunlap, independent security analyst and Forbes.com columnist, “compliance and security go hand-in-hand now. No OS was designed as a complete compliance solution; in today’s economy, companies want to leverage what they can get out of their software purchases.”
Organizations give employees access to critical business information on more than just their internal computers, generating additional potential for security breaches. “To have a reasonable compliance initiative, organizations must manage the entire lifecycle of their data, Gold says. “This includes mobile devices, memory sticks, e-mail, and any other devices (including PDAs) used by employees, whether given to them by an organization or not, in the course of business.”
Healthy security programs encourage organizations to see who has access to their data at all times, where their data resides, when it is accessed, and how it is accessed. Windows 7 offers more monitoring and measurement than do previous versions. Windows 7 offers more Data Execution Prevention (DEP) than prior Windows versions; DEP was designed to protect existing data while preventing specific types of attacks from accessing and impacting those protected files in areas of computers specifically designed to store and hold data. With Windows 7, DEP now protects both the operating system, as well as attacks through Internet Explorer, thus enabling organizations to demonstrate a portion of their network security in a compliance audit. Dunlap says, “This is critical in today’s threat landscape where attacks are monetarily based and the main motivation of cyber-criminals is to steal data for profit. Therefore, organizations must utilize multi-tiered security products, including their OS and those specifically designed for compliance and threat management.”
Microsoft added BitLocker with Vista and enhanced it significantly with Windows 7. BitLocker can encrypt the partitions on which Windows is actually installed on, among other enhancements. Without specific access permissions, the information stored in these partitions cannot be accessed.
This is more important, in some ways, than the DEP enhancements; with Windows 7 BitLocker, the encryption protections extend to USB and other removable drives. Working in conjunction with the enhanced BitLocker features, Windows 7 enables authentication and data access logging as well.
These security features are mission critical for organizations tasked with providing demonstrable evidence of their security and compliance programs in an audit. “Not all data is created equal. From an enterprise perspective, it is essential for all data to be logged on a corporate system and not on individual machines for an audit. This is really an issue of scale,” says Gold.
The Windows Firewall in Windows 7 has improved the restrictions on both inbound and outbound traffic. User account controls (UAC) are another means for organizations to manage their software policies. When UAC is used continuously, there is a significant benefit from a security perspective because administrators can oversee what is happening on individual workstations.
Gold and Dunlap agree on five steps which must be undertaken by every enterprise: data encryption; access control (both internally and externally); proactive management of personal computers and workstations; ongoing training in corporate security practices; and finally, maintaining enough knowledge and understanding of where enterprise data is, how it is being used, and protecting it efficiently.
“Successful security and compliance programs incorporate all areas of technology into their consistently updated programs,” explains Dunlap. It is the efficient protection of enterprise data which comes into play both with Windows 7 and regulatory, compliance, and security programs.
Windows 7, according to Gold, offers “the Carfax of data for some industries.” For organizations using their operating system as a tier two security measurement for their enterprise IT programs, it is a start. For other organizations challenged with larger more sophisticated security and compliance programs, Windows 7 has made their task easier with enhanced encryption, DEP functionality, BitLocker, and other features. It is not a complete compliance or security solution, say these experts, but a foundation for it.
Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!