Compliance Automation

Compliance Automation

Suzanne Dickson. The Internal Auditor. Altamonte Springs: Feb 2007. Vol. 64, Iss. 1; pg. 27, 2 pgs

Abstract (Summary)
For many organizations, regulatory compliance has become the principle focus of information technology (IT) spending. An effective compliance framework must combine people, business processes, and IT in a way that is integral to the organization's ongoing business strategy -- rather than being a special project. A key challenge organizations face in today's compliance environment is how to tie together all the tools and information to provide a universal view of compliance. Finding and documenting security gaps and exposures is one of the most cost- and labor-intensive aspects of compliance. Just as business performance improvement is an ongoing objective that requires continual attention and effort, regulatory compliance is an unending business process. By using automated tools, internal auditors can help their organization meet complex regulatory requirements more efficiently, improve accuracy, reduce costs, and measure performance improvements from compliance efforts.

Software tools can give auditors more insight into the controls and policies their organization needs to meet regulatory mandates.

FOR MANY ORGANIZATIONS, REGULAtory compliance has become the principle focus of information technology (IT) spending. More money is being spent on meeting compliance requirements than on protecting against security threats and filling business-related needs, according to SecurityCompliance.com, a security research Web site.

An effective compliance framework must combine people, business processes, and IT in a way that is integral to the organization's ongoing business strategy - rather than being a special project. A major component of an effective compliance framework is having a set of IT applications that tracks regulatory compliance automatically. Moreover, IT tools can help groups from all parts of the company leverage compliance-related measurements and controls as a means of identifying and improving inefficient internal business and technology controls on a continuous basis.

A key challenge organizations face in today's compliance environment is how to tie together all the tools and information - across all relevant regulations and a common set of actionable IT controls - to provide a universal view of compliance. Internal auditors can meet this challenge because they have a broader view of the overall stability of the organization's compliance efforts.

AN AUTOMATED APPROACH

Finding and documenting security gaps and exposures is one of the most cost- and labor-intensive aspects of compliance. Some businesses try to leverage homegrown, manual methods such as spreadsheets, hoping to cut costs and implement compliance controls within the required time frame. Although the low cost of implementing this approach is initially appealing, organizations may struggle over time with scalability and reliability. Such manual processes are error prone and often overlook policy deficiencies.

Implementing an automated, consistent, and repeatable process for testing, measuring, updating, and reporting on IT security controls can result in continual performance improvement. Automation can help auditors identify and eliminate deficiencies in such critical areas as customer service, sales, invoicing, and inventory controls; information access, storage, and archive policies; and other processes and supporting technologies. In addition, automated processes can enable auditors to bring together compliance initiatives managed by different groups in separate departments, eliminating duplicate efforts to test and measure the same IT control function across the organization.

Automation can also improve end-user awareness and policy enforcement. Internal auditors should educate information systems users about compliance requirements and policies.

IT TOOLS

With so many different regulations to consider across an entire enterprise, it is nearly impossible to correlate business requirements with regulations and policies without an automated tool set. Internal auditors can use these products to automatically perform tasks such as auditing and examining the IT control environment in real time; developing and publishing reports to measure the effectiveness of IT security controls in meeting standards and regulations; demonstrating due care of compliance; mapping control information to specific policies to recommend improvements to the control environment; and collecting, integrating, and retaining trend analyses and evidentiary information from disparate control mechanisms for audits and documentation requests.

POLICY MANAGEMENT Automated applications enable organizations to define, create, and disseminate policies and track end-user acceptance. Because many organizations are impacted by more than one mandate, a growing number of products map policies to multiple frameworks, standards, and regulations. When integrated with infrastructure assessment software, these tools can supply auditors proof of the organization's policy compliance.

VULNERABILITY DETECTION Identifying IT security risks is made easier through technology that evaluates critical applications and operating systems and intelligently assesses and reports deviations in areas such as password strength, default accounts, user rights and permissions, and vulnerability and patch status. These products automatically identify and prioritize security threats that affect applications, enabling auditors to assess the effectiveness of security policies and recommend ways to strengthen them.

ASSESSMENT Technology tools can help organizations establish, test, measure, and remedy control deficiencies and give auditors a view of IT compliance progress. Assessing and managing IT technical controls is eased by tools that establish baseline configurations for all major operating systems and identify exceptions to configuration standards. Many tools also leverage global networks of Internet activity sensors and security professionals to respond to fast-moving threats.

GOVERNANCE Automated software can streamline governance of a compliance and performance improvement environment. Some tools have compliance assessment and reporting capabilities that integrate data from a variety of sources through a single interface that auditors could use to assess and demonstrate IT policy compliance and identify deficiencies. Some products report gaps in coverage of key regulations and frameworks automatically, while other tools capture and report on user acceptance and waivers to policies.


A UNIVERSAL VIEW

Just as business performance improvement is an ongoing objective that requires continual attention and effort, regulatory compliance is an unending business process. By using automated tools, internal auditors can help their organization meet complex regulatory requirements more efficiently, improve accuracy, reduce costs, and measure performance improvements from compliance efforts.