Proactively Managing the Cost of Compliance

Northbrook, IL – February 4, 2009– Managing the complexity of compliance and a swarm of regulatory acronyms is all in a day’s work for Jeremy King.

King is a security specialist for SOURCECORP – a provider of business process outsourcing to the financial, government, healthcare and legal industries. SOURCECORP operates from more than 50 locations in the U.S., Mexico, India and the Philippines.

“Because we are a BPO organization, we manage hundreds of isolated networks, each configured to the needs of each customer. Other than a few key internal systems, there is no standard architecture for these networks. We build a solution tailored to a client’s process need. To keep clients separate, dataflow, repositories, everything is isolated,” said King.

With clients in so many industries, and with so many unique processes under management, every supporting network is also governed by a unique mix of compliance and regulatory acronyms, including GLBA, HIPAA, SOX, SAS70, and PCI, to name a few.

“Our customers have the right to be pickier than the regulations themselves. They are paying us to manage their process and they want to ensure they are compliant. Since we are managing their processes, we are governed by the same regulations that our customers are governed by,” said King.

To ensure that both the customers’ needs as well as the requirements of the regulations are met, SOURCECORP implements very strict best practices across the board.

“By doing so, we meet most of the regulations. PCI is the most specific. The rest are a little more generic. If you implement PCI, you automatically take care of the rest of the regulations, barring a few exceptions from GLBA,” said King. “In fact, we recently brought on a customer that needed the highest level of PCI compliance. By raising the standards in one location, for one client, by default, we automatically raise the standard across all locations and networks and clients. We’re always raising the bar.”
By continually raising the bar for clients, employees must also raise the bar on their own performance. King was first hired to conduct penetration testing – probing the network for weakness.

“Since then, my job has evolved to ensure we have the proper controls in place from a policy and procedural perspective. I work to identify gaps in our existing security, and find areas where can we improve our security to be more compliant.”

In the beginning, King used freeware tools such as Nessus to conduct security scanning but quickly found that the free tools were not conducive to the management of such a large, complex environment.

“I needed a way to give control out to the various locations and IT staff to run their own scans and maintain their own scans instead of relying on me. It had gotten so that all my time was spent measuring benchmarks and tracking resolutions of those vulnerabilities. I wasn’t being strategic.”

In an effort to improve efficiency and provide more autonomy for each location, SOURCECORP began evaluating various automated scanning tools. In the end, SOURCECORP selected Beyond-IP’s AVDS as the best fit.

“Our CIO was looking for the best solution for the lowest possible cost. Because of the complexity of our networks, the other solutions were cost prohibitive because they charge on a per scan/per IP basis. Every network is now scanned once per month (and each network owner can request more frequent scanning if they want it because it doesn’t cost us anything extra) – we perform a security mapping of each network and simulate attacks from both inside and outside the networks. AVDS generates a detailed vulnerability report specifying the security breaches, along with recommended fixes for each of the vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the Beyond -IP's research and development team, as well as those discovered elsewhere.”

The automation of scans and vulnerability reports allowed King to focus on higher value work, including security awareness training. King believes most security breaches happen by accident – improper use of technology, changes made to the network without considering the security implications or bypassing important controls because someone is in a hurry.

“Now I create security awareness training, consult with IT on change management and work with audit and compliance on gap resolution….so now the ROI on me as a resource is much higher because we have moved our scanning to an automated platform.”

King believes automated scanning is a cornerstone for improving SOURCECORP’s security posture.

“We now can easily justify to management the cost of upgrading. For example if we have an operating system end of life and no way to patch vulnerabilities, we either need to accept those vulnerabilities or replace the machines. This kind of data gives you a lot of leverage with management for improving your security posture.”

About SOURCECORP

SOURCECORP is a provider of business process outsourcing to the financial, government, healthcare and legal industries. SOURCECORP manages hundreds of isolated networks for clients and each network is governed by a different global IT security standards and integrity legislation. The cost of monthly vulnerability scanning and customer reporting was prohibitive because most vendors charge on a per scan/per IP basis.

About AVDS

Beyond-IP's AVDS performs a security mapping of an organization's network and simulates attacks originating from either the internal or the external network. Once the security mapping is complete, AVDS generates a detailed vulnerability report specifying the security breaches, along with several practical and easy-to-apply solutions to fix those vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the company's research and development team, as well as those discovered elsewhere.

By installing the AVDS appliance-based solution, SOURCECORP has a real-time view of all their networks and is able to clearly demonstrate compliance with emerging global IT security standards and integrity legislation.

About Beyond-IP, LLC

For organizations concerned about regulatory compliance or dissatisfied with the network security audit services provided by their consulting firms, Beyond-IP provides an Automated Vulnerability Management Appliance that provides a higher quality, lower cost network vulnerability assessment and management than any other alternative. The Automated Vulnerability Management Appliances performs a security mapping of your network and simulates attacks originating from either the internal or the external network. Once the security scanning is complete, the software generates a detailed vulnerability report specifying the security breaches, along with practical solutions to fix those vulnerabilities. Beyond-IP’s solutions allow simplified measurement, monitoring and management of vulnerabilities over time. To learn more, visit www.beyond-ip.com.

Contact for Beyond-IP, LLC

Ben Bradley
ben@maconraine.com
630-221-9844