We have seen the convergence ofIT complianceand security through the
implementation and heightened enforcement of an ever-increasing
number of regulations and frameworks such as SOX,PCI DSSand ISO/IEC 27002. The
pressure to demonstrate compliance with multiple standards is
increasing, with some organisations now subject to three or more
regulatory mandates - each with its own mission, scope and control
statements - creating a highly complex, organisation-spanning
"compliance Hydra" that spawns a new and costly head at every
turn.
The Security Compliance Council indicates that there are three
key challenges that organisations face when dealing with
compliance: the
increasing cost of compliance, the increasing risk of
non-compliance, and the growing complexity of managing compliance
with multiple regulations.
Organisations are increasingly responding with the
implementation of automated tools to map, manage and report on
multiple regulations simultaneously. Such automation can
identify the relationships that exist between the various
regulatory control statements, help to create organisational
polices that connect directly to technical baselines, and greatly
reduce duplication of activity. The opportunity is here to achieve
more than mere compliance, as automation should improve IT
governance overall. Rolling out common best practice frameworks and
helping to standardise the right information security stance for
the company's risk profile should also be a priority.
Required functionality
Effective compliance automation tools should be based upon a
workflow that mirrors the common compliance life-cycle phases. They
should focus on features that provide the ability to automate many
of the labour-intensive and repetitive actions that create the
complexity of compliance processes.
Automated tools should also be able to create an accurate
inventory of compliance activities, such as the number and priority
of assets in scope and the amount and type of evidence and audits
required. They should enable the mapping of regulatory mandates and
frameworks to policies and technical controls. Policy management
functionality should also feature, with the ability to create,
disseminate and enforce organisational and technical policies.
Management of technical controls should support the automation
of important assessment and remediation tasks, through features
such as agentless data collection, integrated network scanning,
patch management and user privilege management. Control
management features should also be supported by up-to-date
remediation guidance and include the ability to assess and report
on non-programmatical controls. Query capabilities and flexible
reporting are also essential to track the compliance status of
assets within the inventory, and graphical dashboards and
configurable reporting templates should permit easy-to-digest
compliance views. Audit evidence management is important to support
investigative and scheduled evidence gathering.
As the "compliance Hydra" continues to grow more heads, the
effective use of automation tools should not only reduce the pain
of managing multiple and complex compliance projects but should
also minimise the associated costs and opportunities for
non-compliance. Compliance automation serves to standardise the
compliance activities across the organisation, ensuring that the
assessment and measurement of compliance is a timely, efficient and
repeatable process. An organisation's IT governance should benefit
from compliance automation, ensuring that business and IT policies
are created, aligned and maintained against the backdrop of
evolving regulatory mandates and best practice frameworks.
Through the frequent monitoring of technical and procedural
controls and their respective mapping to regulations and policies,
organisations can ensure that they are not only compliant at the
point of audit, but create an ability to confidently manage and
sustain compliance over the long term.
James Hanlon CISSP is a principal security consultant with
Symantec