We have seen the convergence of IT compliance and security through the implementation and heightened enforcement of an ever-increasing number of regulations and frameworks such as SOX, PCI DSS and ISO/IEC 27002. The pressure to demonstrate compliance with multiple standards is increasing, with some organisations now subject to three or more regulatory mandates - each with its own mission, scope and control statements - creating a highly complex, organisation-spanning "compliance Hydra" that spawns a new and costly head at every turn.
The Security Compliance Council indicates that there are three key challenges that organisations face when dealing with compliance: the increasing cost of compliance, the increasing risk of non-compliance, and the growing complexity of managing compliance with multiple regulations.
Organisations are increasingly responding with the implementation of automated tools to map, manage and report on multiple regulations simultaneously. Such automation can identify the relationships that exist between the various regulatory control statements, help to create organisational polices that connect directly to technical baselines, and greatly reduce duplication of activity. The opportunity is here to achieve more than mere compliance, as automation should improve IT governance overall. Rolling out common best practice frameworks and helping to standardise the right information security stance for the company's risk profile should also be a priority.
Effective compliance automation tools should be based upon a workflow that mirrors the common compliance life-cycle phases. They should focus on features that provide the ability to automate many of the labour-intensive and repetitive actions that create the complexity of compliance processes.
Automated tools should also be able to create an accurate inventory of compliance activities, such as the number and priority of assets in scope and the amount and type of evidence and audits required. They should enable the mapping of regulatory mandates and frameworks to policies and technical controls. Policy management functionality should also feature, with the ability to create, disseminate and enforce organisational and technical policies.
Management of technical controls should support the automation of important assessment and remediation tasks, through features such as agentless data collection, integrated network scanning, patch management and user privilege management. Control management features should also be supported by up-to-date remediation guidance and include the ability to assess and report on non-programmatical controls. Query capabilities and flexible reporting are also essential to track the compliance status of assets within the inventory, and graphical dashboards and configurable reporting templates should permit easy-to-digest compliance views. Audit evidence management is important to support investigative and scheduled evidence gathering.
As the "compliance Hydra" continues to grow more heads, the effective use of automation tools should not only reduce the pain of managing multiple and complex compliance projects but should also minimise the associated costs and opportunities for non-compliance. Compliance automation serves to standardise the compliance activities across the organisation, ensuring that the assessment and measurement of compliance is a timely, efficient and repeatable process. An organisation's IT governance should benefit from compliance automation, ensuring that business and IT policies are created, aligned and maintained against the backdrop of evolving regulatory mandates and best practice frameworks.
Through the frequent monitoring of technical and procedural controls and their respective mapping to regulations and policies, organisations can ensure that they are not only compliant at the point of audit, but create an ability to confidently manage and sustain compliance over the long term.
James Hanlon CISSP is a principal security consultant with Symantec
This was first published in January 2008