|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Thought Leader
Compliance and Modern Business
By
Liza Zaneri
|
|
Liza Zaneri
CEO
Base-One Technologies
|
No one who is in a management position needs to be told that the business landscape is changing. Navigating business was never a walk in the park, but with the introduction of a number of government and non-government regulations it has become more like walking through a minefield! Executives responsible for Information Technology often feel the weight of these regulations more fully than their counterparts in other areas of the company.
In today?s world much of what is done, and regulated, is accomplished using some degree of IT resources. This has put IT squarely in the cross-hairs of the regulators, auditors and other business leaders. Certainly this has caused many sleepless nights for the IT management team, but it does not have to be as difficult and scary as it first seems. There are things that the IT staff has been doing for years that can be adapted to lessen the impact of all of these regulatory woes.
Documentation is usually the bane of any IT professional?s life; however it is something that we all need to do in order to ensure that things are done right and can be supported long term. The cry of document, document, and document while sounding like a broken record should actually be the mantra of the modern IT professional. It is nearly impossible to ensure regulatory compliance unless policies, standards and operational procedures have been put in place and kept up to date. The latter is often the most overlooked issue involved with documentation. However, documentation that is out of date is like having no documentation at all. In order to ensure that there is no confusion about what each term for the documentation (policy, standard, procedure) means it would be helpful to clarify them here. Policies are usually broad statements made by management that relate to why something is important to the organization. A policy might state that ?sensitive data will be encrypted?. It may even go as far as laying out the broad categories of classification that are applied to data in order to determine what is sensitive. A standard deals with what must be done. In the case of encryption of sensitive data the standard may address the tools that are approved for encryption of sensitive data and what is required depending on storage media or transport mechanism. A procedure addresses the issue of how one is to accomplish the encryption. It is usually detailed in nature and the audience is those technical individuals responsible for carrying out the day to day application of the policy and standard.
Once the documentation is complete it is up to the IT professionals to design a control structure that ensures compliance with the policies and standards that have been developed. The term control structure refers to the processes and tools that can be applied to an IT environment to effectively carry out the security and other requirements. In short it is the things you put in place to make sure that proper passwords are used, access control lists are correct and that access is limited to those who need it to perform their job. Some companies adopt a framework such as CoBit from ISACA or ITIL or even ISO17799 in order to ensure that they have the proper control structure in place. Others design and implement their own framework and implement around that. It is really up to the individual IT executive to determine which approach will work best for their organization. The issue is not which control framework you adopt, but simply that you adopt, or create one and implement tools that are consistent with that framework.
As essential as it is to have complete and up to date documentation and an effective control structure, it is just as important to have monitoring, enforcement, and reporting capabilities. I once had a senior application developer tell me ?If you don?t enforce it, it isn?t a standard?. The statement was direct and to the point, and very true. Without an effective monitoring program you cannot evaluate the effectiveness of the controls you have put in place. Also with the reporting requirements that have been introduced by the various regulations the senior executives will demand that they receive reports on a periodic basis so that they can attest to the adequacy of the control structure with confidence. The key issue is to put monitoring and metrics reporting in place that helps IT executives more effectively manage their environment, yet at the same time provides other senior executives with the information they need to confidently attest that the control structure is effective. Without monitoring and reporting everything else that has been done will have much less value.
At this point the reader might very well be asking, what this all has to do with compliance and the modern business? Simply put, most technologists tend to over complicate matters surrounding compliance. The furor over regulatory compliance is somewhat akin to the doomsday prophets who were predicting the complete downfall of our society with the coming of the year 2000. I was involved with much of what went on in preparation for Y2K and found that, while there was a great deal of work involved in the remediation efforts, success came down to following the basic fundamentals of project management and application life cycle methodologies.
The same is true of regulatory compliance. If you analyze all of the requirements of the various regulations you will find that by adopting a solid control framework, documenting how that framework applies in your company and constantly monitoring the effectiveness of the controls in place you will be compliant. Of course there are some things that must be addressed in more detail depending on the regulation you are held to, but the basics are still the same. It doesn?t matter if you are protecting Protected Healthcare Information (PHI) for HIPAA, financial data for Sarbanes Oxley, or client data under GLBA in the end you have to adopt controls to protect data. In short a well designed, documented and executed IT control structure will meet most, if not all, of the regulatory requirements.
Education of the entire staff is another area that must be addressed if an effective control framework is to accomplish its goal of regulatory compliance. If you have the best program and monitoring in place, but neglect to inform all levels of the company about the program and their individual responsibility for it you will not achieve your goal. Consistent, periodic education on the controls that are in place and the reasons for them are essential if an organization hopes to achieve and maintain compliance. The repetition of the message helps greatly in its reception and acceptance.
While it is true that there are many additional aspects of these regulations that go well outside of the IT arena, but from an IT standpoint, most of the regulations say the same thing; ?have a good security and data integrity program in place and monitor it for effectiveness?. They don?t use exactly those words, but the message is very clear.
Today?s modern businesses rely heavily on their IT infrastructure to support all aspects of their operation. It follows logically then that IT must operate in accordance with well crafted and executed control structure. A return to the basics of a solid plan, clear documentation, effective monitoring, and awareness training can help ensure that you are compliant with the regulations of today and prepared for the new regulations that are sure to come tomorrow.
Liza Zaneri
CEO
Base-One Technologies
Ms. Zaneri is the President and CEO of Base-One Technologies in New York, who recently won the coveted Eagle project from the United States Department of Homeland Security.
Ms. Zaneri has works with multiple Fortune 500 companies and government agencies; she worked as an engineer, lead engineer, strategist, and more. Ms. Zaneri has a B.S. in Geology from Hunter College and has worked on a myriad of government contracts over the past decade.
Ms. Zaneri?s core belief is that her Base-One team is just an extension of the organization?s team she is currently working with.
|
|
|
|
|
