How did the Bertucci's restaurant chain figure out how to process more than 3.7 million credit card transactions a year while complying with federal and state regulations as well as industry rules? It started by taking a close look at its processes and realizing that it didn't always know who was accessing what data when.

"What became immediately clear was that we lacked visibility into changes that could move us out of compliance," admits Bertucci's senior IT director, Kevin Quinlan, in a post at Baseline magazine. "We didn't know if we were secure or compliant, or if we were just moments away from a massive data breach."

Bertucci's, which has 94 restaurants along the east coast, is subject to a host of government and industry regulations, including the Payment Card Industry Data Security Standard (PCI DSS) and a relatively strict state data protection and breach notification law. Under PCI DSS rules, it has to track changes, create audit trails and store all matters that have been investigated.

Access control is key to the restaurant chain's compliance efforts because it handles not only customer data but also sensitive internal data, including financial and personnel information. In the past, the company ran into trouble when terminated employees retained access or when the wrong person inadvertently got into payroll data. With most of its employees part-time or transitional, the company really needed a way to keep a closer eye on the systems.  

"That's a powerful motivator because we had virtually no awareness of who was accessing what information--and whether incidents were benign instances of employees 'fat-fingering' passwords (typing the wrong character) or if there was malicious activity under way that could compromise our servers," Quinlan writes.

If employees gave themselves excessive administrative rights or if they inappropriately changed firewall settings, it could imperil compliance efforts. "So, ultimately, we came to recognize the value of compliance--not for the sake of checking some boxes to keep regulators at bay, but as a catalyst for implementing much-needed security measures," he writes. "For that reason alone, we developed a fine appreciation for compliance, rather than the feelings of frustration I hear from my peers."

For more:
- see Kevin Quinlan's post at Baseline

Related Articles:
Should you be the cop on the compliance beat?
RSA report: Compliance risks, costs are on the rise
Legal minefields in the course of an IT worker's day
Data breach laws, e-discovery increase compliance duties