New products aim to streamline compliance efforts

Having trouble keeping up with SOX, Basel II and PCI? Two companies are promising to help organizations gain control of their multiple compliance responsibilities.

For overworked security departments, ensuring compliance with a range of different regulatory requirements can become a huge task. Many organisations end up with several teams, each of them dedicated to a specific standard, such as PCI DSS, Sarbanes-Oxley, Basel II, ISO 27001 or the Code of Connection for local government.

The compliance effort can prove not only expensive, but also very inefficient since most of the regulations have many things in common, and so much work is unnecessarily duplicated.

Now two companies are promising to help organisations gain control of their compliance responsibilities, and save time and money by rationalising their efforts.

Both of the solutions rely on the Unified Compliance Framework (UCF), a service provided by Network Frontiers LLC, which tracks the development of hundreds of global regulations and pulls their requirements together to see where they overlap.

The first product comes from OpenPages Inc., a long-term player in the compliance market. Combining the UCF with its own governance software, the company is launching a reporting and management tool that will work across multiple compliance initiatives, and break down the inefficient siloed approach, according to Gordon Burnes, head of marketing for OpenPages. "UCF tracks more than 400 laws, regulations and guidelines from around the world, and provides a set of 2,500 harmonised controls," he said.

A framework-based compliance program

Richard Mackey of SystemExperts explains how to construct a framework that can help you identify your compliance needs.
As well as tracking progress in compliance, he said the system will allow companies to carry out "what if?" modelling of any changes they plan, to see how the changes could affect their compliance position.

The other new offering comes from Lumension Inc. and is based on the compliance and risk management technology it acquired with the purchase of SecurityWorks Inc. last April.

Now rebranded as the Lumension Risk Manager, it is underpinned by the UCF to provide up-to-date information about all relevant regulations. Alan Bentley, head of vulnerability management at Lumension, said the new product enables companies to combine and streamline compliance and IT risk, and to have the ability to manage it in real-time.

Taking feeds from systems under the scope of compliance -- which could be servers, databases, desktops or other devices -- the central monitor maps their state of security against a nominated set of regulations and highlights any areas of non-compliance.

"We are offering an automated repeatable and manageable process that feeds into both risk and compliance, and helps organisations manage their IT risk against their IT systems," Bentley said. "This feeds into their compliance requirements on a daily and weekly basis. It means they can make fine-tuning adjustments throughout the year and then be ready for their audit when it comes around, rather having than a mass panic each time."

While the OpenPages offering is aimed mainly at very large organisations, Lumension is also targeting smaller organisations with 500 to 2000 employees.

"Smaller organisations still have to spend a lot of money managing their one or two requirements -- such as PCI or the Code of Connection, for example," Bentley said. They don't have the skills, so they have to pay a consultant to figure out which parts of their systems and networks are affected by the regulations, and what they need to do about it to be ready for the audit. It can be very onerous for a relatively small organisation."

Mark Nicolett, an analyst with the Gartner Group specialising in governance and compliance, said it is essential to automate and streamline as much of the compliance process as possible. "One of my clients cut 60% off the cost of reporting requirements by doing automation," he said.

By working from a central library of requirements, he said, it is possible to scan systems once and then report back on the various requirements and standards.

He added that there are other several players in the IT GRC (governance, reporting and compliance) management market, including Agiliance Inc., Archer Technologies LLC, BWise Inc., Computer Associates Inc., Information Governance, Modulo, Relational Security Corp., Symantec Corp., Telos Corp. and Trustwave Inc. Many of these companies also license the UCF for their information about the various regulations and standards, Nicolett said.

Read more on IT risk management