Critical Challenges for Corporate Compliance

By Tom Schmidt

Laws and regulations are constantly evolving. Nowhere has this fact of life had a more profound impact than in today's IT department. For example, the emergence of email as critical evidence in litigation has increased liability for companies that do not have sound retention strategies in place. And measuring and reporting on IT internal controls poses an additional challenge in the age of the Sarbanes-Oxley Act.

Although the term "compliance" means something different to every company, the intent of multiple regulations across industries has a core commonality: to ensure the security, availability, and ultimately the integrity of corporate information. While many enterprises have approached compliance as a one-time event or on a per-regulation basis, this article will argue that organizations must begin to address compliance from a strategic perspective -- one that mandates a proactive and holistic approach to building a comprehensive set of capabilities in security and availability. A strategic approach can go beyond the regulatory environment and help companies improve overall security and availability of information assets, reduce operating costs, and increase the quality of IT service throughout the enterprise.

Roadblocks to compliance

As most enterprises know, ensuring the integrity of information comes with multiple IT challenges, which in turn create roadblocks to sustaining IT compliance over time. These include:

• Complexity  Due to increased levels of merger and acquisition activity in recent years, IT infrastructures have become a complex maze of heterogeneous hardware and software. In addition to technological complexity, IT executives are also responsible for interpreting the IT requirements for multiple global regulations.
• Manual processes  Federally mandated processes inevitably are supported by personnel who manually aggregate information, assess status, address shortcomings, and pull together reports. This is a costly and error-prone methodology that is not easily repeatable.
• Lack of standardization  Inconsistent processes across business units and geographies create fragmented efforts involving multiple ways of testing, measuring, and reporting on the same IT control. In an October 2004 internal controls survey conducted by Ernst & Young, LLP, nearly one third of the organizations surveyed were testing more than 1,000 controls, predominantly among organizations greater than $5 billion in revenue.

A strategic approach to compliance

To achieve and sustain real IT compliance, enterprises should take a three-step approach: assess their current compliance posture, establish IT controls, and sustain IT compliance.

• Assess the current compliance posture  The first step involves planning, in order to understand the scope of the effort needed. To obtain this information, companies must dig into their processes and technologies to inventory the IT environment, as well as understand how internal/external risks and threats affect critical business processes. This effort includes mapping assets to compliance requirements; performing a gap analysis (i.e., the necessary IT controls to meet compliance and business requirements must be tested to identify security and availability weaknesses); comparing current IT controls with industry standards (such as ISO 17799); and creating an action plan.
• Establish IT controls  Based upon the risk assessment, gaps in the IT control structure must be closed by implementing the necessary IT controls to create a secure, available, and resilient infrastructure. This includes testing existing IT controls and remediation of control gaps through change management activities such as software provisioning or patch deployment. The goal here is to implement automated and standardized IT controls utilizing common best practices and technologies. Once new IT controls and processes are in place, it is important to document and communicate them to all internal stakeholders. General IT control categories include records retention, protection, and retrieval; threat detection; vulnerability detection; security infrastructure remediation; and business continuity/disaster recovery.
• Sustain IT compliance  Of course, an IT control and process is only as good as its ability to be managed and audited to demonstrate compliance. Once the proper IT controls are implemented and documented, an automated and standardized process should be established for the continual measuring and testing of IT controls, remediation of IT controls that fall out of compliance, recording the process, and reporting it to internal and external auditors to demonstrate that compliant processes are in place.

The need for a 'system of record'

Increasingly, enterprises that focus on strategic compliance, while mindful of meeting individual compliance requirements, are beginning to implement what some observers call a "system of record" for their business. Such a system precludes chasing after regulations by ensuring that the right people, processes, and technology are in place to focus on assessing risk and deploying protection. One of the objectives of strategic compliance is to incorporate standard processes and a level of awareness into employee behavior. To gauge progress in this area, a security awareness audit can be conducted, the results of which can then be used as a basis for training and communications programs. To achieve the best results, such cultural changes must be driven by executive management.

Conclusion

Today's enterprises need to evolve their compliance efforts from ad hoc projects to cost-effective and efficient processes that can be applied across various compliance initiatives involving the security and availability of information. Or as researchers from Gartner Inc. put it in a report earlier this year:

"Compliance imposes a discipline and a structure that ensures documented decisions about how the business is run. It provides a mechanism for implementing best practices throughout the business, which will lead to improved business performance. Companies are realizing only now that the 'tough love' regimen imposed by compliance does lead to long-term benefits in terms of improved business performance."

Enterprises stand to gain the most by approaching compliance as a strategic initiative. A strategic approach helps enterprises better understand and mitigate compliance risks, improve the IT control structure, and increase efficiencies across the organization.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.