Once upon a time, Corporate America used technology pretty much for one reason: to help companies do things.
IT systems were a constellation of computer programs to manage and manipulate data and recover information as needed. And in that environment, says Thomas Bookwalter, founder of the consulting firm FMDC. IT departments typically worked in their own world, only tapped to develop new applications or help restore old ones to operational effectiveness.
Then came the paradigm shift of a heightened regulatory environment, use of electronic communication, and risks of business litigation—which has turned the purpose of IT systems inside-out. Companies now need a way to track records and information as they evolve and to access that data efficiently.
Designing controls for IT systems to do that is no easy task. The challenge, Bookwalter says, is that while regulations are converging on a common set of data, the regulations themselves are not aligned with one another; they all require different aspects of the same information.
Bookwalter
“What companies don’t have is a sense of the collective impact of their regulatory environment, and few have any way to instruct their technologies on how to deal with that,” he says.
Still, companies must try to solve the problem anyway. As a result, IT departments need to be far more conversant in a company’s regulatory and legal responsibilities than ever before. Similarly, those who oversee compliance efforts must understand IT systems and their issues and requirements.
“The business processes are where everything starts and the whole reason IT is involved in the compliance effort,” says Ed Hill, a managing director at consulting firm Protiviti. “You’ve got to have a very clear understanding of why and what the business processes are relying on to get to your right scope of compliance requirements.”
Hill and his colleague, Jeff Weber, list some steps companies can use to develop an entity-wide view of governance that defines the risks, policies, and metrics for the IT organization, which can then be used to determine what IT controls a company needs.
First, companies should classify their business processes and correlate them to the application and the IT processes and environment. This helps to understand the impact those processes have on the IT environment and the associated risks.
Second, companies should clearly define the processes that support and manage their critical applications, outline the policies and procedures that support those processes, and identify the metrics used to monitor the processes.
Third, companies need to identify what data is critical to the company and define who within the organization has ownership over the information. That will allow the business to see which applications and processes interact, update, and rely upon that data.
Once those steps have been taken, companies can then begin building the actual IT compliance solution, Hill and Weber say.
Automating Improved Controls
Kellum
“Our information assets have economic value,” says Wain Kellum, chief executive of Trusted Network Technologies. “The new threat is that information assets on a network—for example, Social Security numbers and credit cards—have a real value on the black market. Breaches inside the network are a huge problem for every company. There is a significant threat from within.”
Technology doesn’t resolve all problems, but it is a way to automate good processes. To help companies determine which technologies they should consider for both operational efficiency and compliance purposes, Paul Proctor and Mark Nicolett of Gartner Research have identified six security technologies to assist with auditing issues. They are: identity and access management; security information and event management; configuration audits; content monitoring and data loss prevention; database activity monitoring; and security controls and policy management.
Neray
“It’s hard to think of an instance where controls would be manual,” says Phil Neray, vice president of marketing at Guardium. “Automated controls are more accurate and less prone to human error and can be implemented in a way that supports multiple governance objectives at the same time.”
Identity access management tools can be the cornerstone of compliance controls, according to Proctor and Nicolett. Those functions encompass the documentation, review, and approval of access controls, roles, segregation-of-duties rules, and privileges assigned to various users of the company IT systems.
Security information and event management technology provides real-time event management for security data and helps IT security operations personnel to be more effective in discovering and managing security events, as well as reporting and historical analysis to support security policy compliance management and the generation of security metrics.
Configuration auditing detects changes in infrastructure components and reconciles them with authorized change requests. An effective configuration auditing process can provide evidence that an IT environment has integrity.
“Automated controls are more accurate and less prone to human error and can be implemented in a way that supports multiple governance objectives at the same time.”
— Phil Neray, Guardium
Content monitoring and data loss prevention are the most comprehensive solutions for detecting information loss. That said, before deployment, businesses should obtain legal guidance since different states and countries have different laws regarding employee monitoring.
Database activity monitoring can be enabled in two ways, either as an embedded agent analyzing native application data or as a network appliance decoding network traffic to create a transaction log. This type of monitoring can be considered as a viable stopgap for legacy systems (say, while the systems are re-engineered for encryption), and for new systems to provide significant security benefits of their own.
Security controls and policy management involve the development of policies that define how security and integrity are ensured for IT resources. The IT controls built by an organization typically are composed of two major components: written policies that are distributed, read, and acknowledged by individuals, and technical controls implemented via configuration settings on computer systems.
“The threat landscape is changing because the risk exposure has moved to mission-critical information assets deep inside a network,” Kellum says. “Executives are accountable and need to take responsibility for prioritizing assets and setting appropriate access policy. After that, establish the controls and audit the heck out of it, verifying that the access policies were properly enforced.”
No comments yet