Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

GAAP For IT? Conflicting Standards Abound

Todd Neff | November 28, 2006

If compliance is from Mars, then IT security is from Venus. Take Sarbanes-Oxley compliance as an example. The law makes clear that a corporation’s financial information shall be secure, but it says nothing about exactly how a company is supposed to achieve security in the IT realm.

At the other, far more verbose end of the spectrum, companies have an abundance of IT standards that aim to translate Sarbanes-Oxley’s broad legal, accounting, and information-management requirements into pragmatic directives that IT professionals can use.

In fact, IT-security experts say there are too many standards and that none do the job well—among the many acronyms representing standardization efforts aiming to wed compliance and information security are COSO, COBIT, ITIL, ISO 17799, ISO 27002, NIST’s 800 Series, PCI, CISWIG, and GAISP.

Some say the world needs a new IT-security standard: a Generally Accepted Accounting Principles for computing. Others advocate for taking existing standards and applying them to one’s business with a keen eye on risk. Just about everyone agrees that vigilance in such basics as IT configuration can drastically strengthen compliance at minimal cost, while at the same time improving an IT department’s overall efficiency.

Le Grand

“The wonderful thing about standards is there are so many of them,” quips Charles Le Grand, a principal at the TechPar Group consulting firm and former director of technology practices for the Institute of Internal Auditors. “If you lined them up end-to-end, they’d all point in different directions. Not one is focused on gaining consensus.”

At the dawn of SOX, Le Grand says, auditors showed up with 400 COBIT-control objectives over IT, and chief information officers simply would pick and choose what they could and couldn’t do. “The thing that was missing was risk assessment,” he says. “It’s still hard to make clients understand broader issues when all they want is to get auditors off their backs.”

The news isn’t all bad. Le Grand says more companies are asking questions such as whether security controls are tight enough to identify who accesses what information and how they are manipulating data. Without such basics, “you can apply all the simple solutions out of COBIT that you can stuff into your million-dollar budget, and come nowhere near complying with real requirements of the SOX Act,” Le Grand says.

COBIT stands for Control Objectives for Information Technology; it is published by the Information Systems Audit and Control Association, and is perhaps the most well-known IT controls framework. Still, COBIT isn’t meant to solve every IT-security problem, says Debra Mallette, a healthcare industry “process architect” who helped develop the framework. She compares COBIT and IT security to the Global Positioning System and navigation.

“With GPS, you know latitude and longitude, and you use that to get where you want to go,” Mallette said. “It doesn’t tell you how to drive the car or fly the airplane.” She doubts the possibility that universally accepted, detailed IT-security standards capable of explaining every IT instrument in every corporate data center could ever be created.

“You can’t legislate in such detail,” she says.

Setting Standards

Actually, Will Ozier does want to legislate in detail—and says $500,000 could do the trick. Ozier, founder of IT-security consulting firm OPA, leads the Information Systems Security Association’s effort to create a body of standards known as Generally Accepted Information Security Principles, or GAISP.


Fourteen high-level “pervasive principles” for top management and board members have long been written, as have 19 principles for line managers, Ozier says. What’s missing are the roughly 650 detailed principles an IT maven could love, and which could provide the “commonality of language” to bridge the audit-IT divide. As an example, Ozier says, detailed principles on physical access might explain the ins and outs of padlocks, push-button cipher locks, key card locks, and biometrics.

Howard Schmidt, the international president of ISSA, is less bullish on GAISP’s prospects—or any new IT security standard, for that matter. “People don’t want another standard,” he insists. “It won’t fly.”


Technological progress and varying international and industry standards always will place “perfect” universal standards in opposition to very good, tailor-made solutions that various special interests develop themselves, Schmidt contends. He foresees industry-specific security standards evolving over the years, as IT and security professionals, auditors, and risk officers develop best practices based on a mishmash of standards.


Below are some pointers, recommended by individuals interviewed in the article at left, on how to synch up IT and compliance:

  • Configure, Configure, Configure. An estimated 90 percent of IT-system vulnerabilities can be tackled by properly configuring operating-system hardware and application software. Start by checking out the Center for Internet Security’s free benchmarking and scoring tools (see link, below).
  • Take Off The Blinders. COBIT and related IT standards are a good place to start, but they don’t contain the detail necessary to serve as a definitive guide. In addition, such frameworks do not take into account the subtleties and unique characteristics of your particular company, culture, controls and strategy. Many experts doubt such a universal standard is possible, so explore all options, standards, guidance and commentary.
  • Start At The Top. Take a risk-based approach to compliance, controls and related IT challenges. A top-down, risk-based approach (as opposed to a control-specific, bottom-up approach) to information-security practices can pay long-term benefits in IT efficiency.

Related Resource:

Security Level Benchmarking And Scoring Tools (Center For Internet Security)

“You build a matrix so whole groups of people are singing from the same songbook,” Schmidt says.


Until that harmonious day, companies should focus on basics like configuration, says Clint Kreitner, president of the nonprofit Center for Internet Security. Windows XP has about 200 security parameters that need assigning, he says, ranging from password management to audit-log entry. Most of them ship disabled.

“It’s like buying a car and having the dealer tell you the antilock brake system is in a cardboard box in the trunk,” he quips.

Kreitner says proper configuration can take care of more than 90 percent of known security vulnerabilities with relatively minimal effort. “It doesn’t solve any of the people problems, but it blocks those technology paths into the system,” he says.


Stephen Northcutt, president of the SANS Technology Institute, a graduate school devoted to information security, agrees. Configuration and a keen understanding of network traffic are the foundations of IT security, he says. For Sarbanes-Oxley specifically, Northcutt recommends putting financial systems in their own data center and enforcing solid change-management controls backed up by a change-detecting system.

Such moves can pay off. Kreitner points to a recent Information Technology Process Institute study which found that “high-performing” IT enterprises emphasize two things: change management and configuration management. Such bottom-up approaches to information security don’t always align perfectly with COBIT control objectives, but they improve compliance and save money, he says.

“Because the compliance approach has become a CYA exercise, everybody feels they’ve got to do everything, and that’s where all the money has been spent,” Kreitner says.

Ozier says managers focusing on auditors’ check-the-box approaches can lose the benefits of an IT environment whose controls were developed rationally, and based on some approximation of true risk. “Controls are not about decreasing efficiency; they’re about optimizing,” he says. “If you’re doing a compliance-based approach to control management or risk management, you are most certainly throwing money away.”