Data Overlap in Compliance Regulations

In my upcoming review of nCircle's Device Profiler 3000 (DP3000), I was reminded of how much overlap there is between compliance regulations. In a nutshell, the DP3000 is a scanning engine (it uses Nmap, for example) that collects configuration data from servers, network devices and applications and then forwards that

In my upcoming review of nCircle's Device Profiler 3000 (DP3000), I was reminded of how much overlap there is between compliance regulations. In a nutshell, the DP3000 is a scanning engine (it uses Nmap, for example) that collects configuration data from servers, network devices and applications and then forwards that information back to the central console called the Compliance Configuration Manager. (This product is the result of nCircle's acquisition of Cambia in May 2007.)

The data collected by the DP3000 is concentrated at the CCM and then spit out in the form of reports, dashboards and monitors that show what's changing in the IT environment and what impact that's having on compliance posture. Reports issued by the product enable an IT staff to make sure out-of-compliance objects are prioritized and brought back into compliance while the senior IT staff gets big-picture reports that provide an overall idea of how the organization is doing, compliancewise.

But as I started with, it was most interesting to me to see the amount of overlap in the reports generated for PCI (Payment Card Industry), SOX (Sarbanes-Oxley) and HIPAA (Healthcare Insurance Portability and Accountability Act). Basically, the same information about accounts, passwords, access logs and parameter changes was used over and over again to provide the proof needed to demonstrate compliance with the various regulations.

The more regulated your organization, the more payoff you get from a tool like CCM. And that's a good thing because, between the licensing and implementation costs, organizations can lay down a fair chunk-a-change to keep "the man" at bay.