Regulatory compliance hogs security pros' attention

One out of two IT security pros spends 50 percent of the work week on regulatory compliance initiatives, according to a new study

One out of every two IT security professionals spends 50 percent of the work week on regulatory compliance initiatives, according to a new survey.

Meeting regulatory compliance objectives such as the Payment Card Industry (PCI) guidelines, Sarbanes-Oxley (SOX), and healthcare-related mandates is time consuming, according to the results of the "2010 Vulnerability and Management Trends Report," which polled more than 1,900 IT security professionals  and is sponsored by eEye Digital Security.

[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]

The considerable amount of time that security professionals may spend meeting regulatory compliance goals doesn't surprise Dave Wiseman, director of information security and business continuity at St. Luke's Health System in Kansas City, Missouri. That regulatory compliance takes up to 50 percent of work time "is probably pretty accurate," Wiseman says. PCI, SOX and healthcare's HIPAA and HITECH Act are among the regulatory requirements that the hospital system must meet, he adds.

One compliance task for the healthcare organization involves log management, and to that end St. Luke's deployed LogRhythm's centralized log management product to correlate log data and security alerts from a variety of security gear. This lets St. Luke's establish a security dashboard for the staff's general use, and "we also use this for server management, to see when services unexpectedly stop," Wiseman adds.

Among other findings in the "2010 Vulnerability and Management Trends Report," 73 percent of survey respondents said their organizations have as many as 100 applications deployed, and 64 percent said Microsoft applications account for up to 75 percent of their organization's deployed applications.

Microsoft applications "continue to place the most impact on organizations when it comes to security, regulatory compliance and configuration management," the report states. (See also: 10 free Microsoft applications for IT and home users)

In a related announcement, eEye Digital Security said it has updated its Retina CS Management Console 2.0 for vulnerability management of Windows-based machines to include regulatory-reporting packages for SOX, PCI, and FISMA, and tools for baseline configuration as well as patch-management analysis.

"A year ago, we started heavily investing our engineering efforts on this," says Marc Maiffret, co-founder and chief technology officer at eEye, about the newly released CS Management Console 2.0 that works with eEye scanners.

"These are advanced reporting analytics," Maiffret says, which will allow Retina CS Management Console 2.0 to look at a wide variety of configuration and compliance definitions in order to check whether Windows-based machines adhere to various requirements. One example is Security Control Automation Protocol (SCAP), which is required by the federal government in its Federal Desktop Core Configuration mandate.

Read more about wide area network in Network World's Wide Area Network section.

2010's biggest security SNAFUs

This story, "Regulatory compliance hogs security pros' attention" was originally published by Network World.