Regulations and the audits that they spawn are all about comfort. The lawmakers that have put regulatory requirements in place did so in order to promote prudent management practices. Financial audits, in place for decades, were founded on the premise of gaining comfort over a publicly traded company's financial standing. The surge of compliance efforts of the past few years can all be traced into assuring the comfort of stockholders on the viability of businesses or providing comfort for individuals that their important personal information is safe.
This tide of regulatory compliance has hit IT hard. For years, IT organizations have been told to be nimble and agile. Fueled by the rapid expansion and breakthroughs in technology, IT responded by streamlining operations, cutting costs, and learning to work lean and mean through automation. With the increased reliance on IT as a part of the business and the ever-changing IT environment, security is an integral piece of the IT infrastructure. From firewalls to configuration management to security event management systems, all have become the fabric of the IT response to managing risk. When it comes to the recent spate of compliance needs for business, though, these technologies have had an unfortunate affect. Stimulated by the vendor community, the IT organization of today has responded by letting technology determine what compliance is.
The Bottom-Up Approach
Just because a firewall can tell you that it blocked an unauthorized attempt from an ISP in China, does this mean this event must be included in the equation to determine if you are compliant to a regulation? Some may answer, "Yes, of course, because that event could affect financials/business/personal information/insert any other regulatory driver." In some respects, they are correct. I feel better knowing the company I own stock in won't lose a week of productivity due to the latest network worm.
However, the question of whether these technologies are a part of the company's compliance to regulatory requirements can only be answered if management -- the party ultimately responsible for compliance -- has deemed those events as truly impactful to the business and are "hanging their hat" on intrusion detection as one of their key controls to keep the business running. Technologies are the enablers for compliance but do not define compliance. Technology should help demonstrate compliance, ease the burden of compliance activities or be used to facilitate the compliance process. Compliance is all about comfort -- the controls the company has put in place to protect the confidentiality, integrity, availability and accountability of information.
The Top-Down Approach
Most auditors start with a control framework -- something that identifies a broad range of prudent management practices -- and drill down into the people, processes and technologies put in place to meet control objectives. COSO, COBIT, ISO:17799 or several other frameworks provide a starting point to identify the controls. It is then a matter of drilling into each control objective and pulling apart the organization to find the controls meeting that objective. This is a top-down approach: decide the objectives, look at the organization and then penetrate into the processes to identify or implement controls. Only by deciding what the company wants to achieve first is the organization actually moving toward compliance.
Policies, standards and controls are the backbone of a compliance program. While technology may automate and ease the implementation of controls, the definition and the communication of the objectives rest in clear, concise policy. Imbuing an atmosphere of solid management practices within the organization by clearly stating the organization's position via policy is a clear value.
The sustainability of the compliance program hinges on the manageability of the policy and the ease of staying on top of regulatory requirements. Approaching compliance requirements from the policy perspective first provides the company the opportunity to define what controls mean in the context of the business.
Compliance and Technology
Many technology products now have "compliance" plastered all over their literature. Several years ago, the FUD factor -- fear, uncertainty and doubt -- drove many companies toward certain technologies out of fear of hackers, thieves and spies. While these risks still plague companies, compliance is now a major driver for technology solutions. However, a technology-centric view can lead to a bottom-up approach. This approach misses the true target of compliance -- managing risk and bringing business value. It misses the key components of compliance for people (roles, responsibilities, etc.) and process (business process controls).
We can't let the facts get confused, though. In the case of Sarbanes-Oxley, management must identify the key controls within the environment and test those controls to satisfy the regulation. The regulations are even structured in a top-down approach. They don't mention anti-virus or network quarantine. They do discuss the need for sensible, practical management practices. And this is exactly where these technologies come into play. The top-down approach -- defining clear policy, identifying controls and then implementing technologies where needed -- leads to a more-comprehensive controls environment. Measuring against those policies is then the most efficient and effective manner to demonstrate compliance.
Steve Scharlman is chief compliance strategist with McLean, Va.-based Brabeion Software, a risk, compliance and information management solutions provider.