|
|
|
Features
< Back
Sarbanes Oxley : Technology : Policy Management
Examining Compliance from a Big Picture Perspective
By
Suzanne Dickson
|
|
Suzanne Dickson
Director of Product Marketing
Symantec
|
In today?s business environment, regulation is the name of the game. For better or worse, regulations such as Sarbanes-Oxley, HIPAA, the Gramm-Leach Bliley Act, FISMA, and California SB 1386 now heavily influence corporate IT practices. The list of regulations is long, and it continues to grow longer with each passing legislative session.
When strict regulations were first implemented, many IT professionals saw the legislation as an opportunity to demonstrate the important link between IT practices and standard business operations. However, the reality of the situation is that regulation is bogging down already overburdened IT resources. In today?s heightened cyber-threat environment where IT resources are already constrained, organizations face tremendous pressure to maintain compliance with the variety of complex regulations, and many IT departments are feeling the pinch.
A November 2005 survey by Ernst & Young stated that nearly two-thirds of its 1,300 respondents claimed that regulatory compliance is the primary driver of information security at their companies, ranking ahead of other critical missions such as protecting against security threats and meeting business objectives. It is not surprising that compliance ranked so important among the survey respondents. After all, even the most miniscule non-compliant decision can become the weak link to a data breach that threatens a company?s brand integrity and consumer confidence.
The data breaches that have dominated the headlines recently should make every IT manager take notice. According to Privacy Rights Clearinghouse, more than 210 publicized breaches have affected more than 55 million customers since February 2005. Those numbers are alarming, but the cost of notification is more so, with notification cost projections running from $10 to $35 per customer. Combining the hard costs of notification with the decline in shareholder and consumer confidence ? where some studies show a five percent market cap decline in addition to a 10 to 12 percent decline in consumer confidence immediately following a breach ? can produce devastating effects on an organization.
In order to ease these types of risks while simultaneously meeting regulatory demands, organizations must build their IT infrastructures on a foundation of compliance. The most effective compliance maintenance solution combines strategic involvement of personnel, processes, and technology to create an operating framework that is effective, measurable, repeatable, and ? most importantly ? delivers long-term results.
Examining the Big Picture
The first step for companies as they evaluate their regulatory compliance strategy is perhaps the most important. Personnel selection for compliance reviews and policy building is paramount to success. Businesses must resist the temptation of restricting compliance reviews to small groups limited to auditors, select senior management and the board of directors, and instead take a ?big picture? approach to committee selection. Limited involvement from key personnel in the review and planning stage is often translated into limited effectiveness in the execution stage.
In addition to strategic personnel selection, regulatory compliance-based controls and measurements can be used to identify inefficient internal business and technology controls on a continuous basis. As organizations combine regulatory compliance activities with business process improvement programs, ROI can be maximized.
A paradigm shift needs to occur, where businesses view regulatory compliance not simply as an end in and of itself, but as the means to a more important end. Compliance must be seen as a strategic component of information security that helps an organization achieve its overall mission of serving its customers, increasing market share, improving business operations and enhancing profit margins. When IT managers adopt a ?big picture? approach to compliance, the organization moves closer to reaching its critical corporate objectives. As a result, actions such as identifying and rectifying deficiencies in the essential areas of sales, invoicing, customer service and inventory controls ? not to mention access, archive and retention policies and other processes and supporting technologies ? bring the organization closer to reaching its end goals.
Adopting a ?big picture? approach to regulatory compliance signals the need for more inclusive participation in compliance projects from all aspects of the business. By involving multidisciplinary teams from key departments such as finance, legal, IT, HR, and others, organizations can create a compliance committee that represents the interests and abilities of the entire business while committee members drive change from within their own departments.
Improvement through Automation
As most organizations move to satisfy multiple regulatory mandates each year, one of the most demanding aspects of regulatory compliance is finding and documenting gaps and exposures in the IT infrastructure. The pressing nature of demonstrating compliance has prompted some businesses to try to leverage low cost, manual methods such as spreadsheets. Although the low cost of implementation of this approach is initially appealing, its limitations become clear as organizations struggle with long-term scalability and reliability.
With manual methods proving cumbersome, many organizations are turning to automation in IT and IT-enabled business functions as a more effective and cost efficient means of demonstrating compliance. Implementing an automated, consistent, and repeatable process for testing, measuring, remediating, and reporting on the state of IT-related security controls can result in continual performance improvement.
The task of correlating business requirements with regulations and policies without an automated toolset ? along with analysis and remediation, auditable processes, and ongoing management and monitoring ? is virtually impossible. The framework for ensuring compliance and long-term performance improvements follows a repetitive process of defining and documenting policies, controlling deficiencies, and creating the policies and practices that help eliminate the cause of deficiencies.
Automated policy management tools enable organizations to define, create, and disseminate policies and track user acceptance or waivers. Because many companies are impacted by more than one regulation, a growing number of these tools have the ability to map policies to multiple frameworks, standards, and regulations. Technology that evaluates mission-critical applications and operating systems and intelligently assesses and reports deviations in areas such as password strength, default accounts, user rights and permissions, and vulnerability and patch status simplifies the task of identifying IT security and risk. In addition, security risks that threaten business-critical applications are automatically identified and prioritized.
Technology tools can also automate processes such as establishing, testing, measuring, and remediating control deficiencies. Tools that establish baseline configurations for all major operating systems and identify exceptions to configuration standards ease the assessment and management of IT technical controls. A growing number of these tools also enable proactive response to fast-moving and sophisticated threats by leveraging global networks of Internet activity sensors as well as security personnel.
Finally, automated tools can also streamline governing a compliance and performance improvement environment. Some tools enable organizations to demonstrate due care towards achieving IT policy compliance by including compliance assessment and reporting capabilities that integrate data from a variety of sources through a single interface. Other tools capture and report on user acceptance and waivers to policies, while others report gaps in coverage of key regulations and frameworks automatically.
The bottom line is that automated toolsets help make the task of meeting the complex requirements of regulatory compliance efficient while driving repeated performance gains across the organization.
Educating the Masses
After implementing a compliance strategy, it is critical to train end users to adhere to new policies. The value of user awareness and education in meeting regulatory compliance requirements is essential. After all, even the best compliance strategies are useless unless users are aware of corporate policies. Users must also be held accountable for implementing compliance strategies. By properly educating users and holding them accountable as they implement compliance strategies, organizations can avoid costly pitfalls such as a data breach.
Among the most attractive components of many of today?s policy compliance toolsets is the ability to automate the development, distribution, and deployment of IT policies across the enterprise. These tools have the ability to deliver a customizable policy framework based on risk management objectives that can be traced back to specific business requirements. In addition, the collective impact of increased user awareness through automation is often a significant parallel decrease in the likelihood of deficiencies in complying with policies.
The culture of regulation that is prevalent in today?s business world is here to stay. Meeting regulatory compliance demands ? like improving business performance ? is a perpetual process that requires continual attention and effort. However, as IT managers expand their vision as they implement compliance strategies such as automation, the task becomes noticeably easier. By involving key personnel from all areas of the business, implementing automated processes and properly educating end users about compliance strategies, businesses can simultaneously meet regulatory requirements while improving operating practices.
Suzanne Dickson
Director of Product Marketing
Symantec
Suzanne Dickson is the Director of Product Marketing for Management Solutions at Symantec Corp.
|
|
|
|
|
