The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."         Thomas Mann, 1896

IT Regulatory Compliance & Risk Management
Easing the IT Audit

Contributed by: Brabeion Software, Inc.



The Walkthrough

It is audit day! The external auditors are scheduled to perform their walkthrough in two hours before moving into the testing phase. You sit in the conference room readying yourself and organize your notes and binders one last time. With a sigh of relief that the hard part is over, you think of the busy last three weeks you have spent collecting information for the meeting. This year you are going to head them off at the pass so they don’t have to run around the company for weeks bothering all of the Ops people with requests. Armed with your handy list of documents you think the auditors will be interested in, you run through the collection of paper on your desk.

First, you check to make sure your print out of the security policy printed properly. You hadn’t printed it since last year but it seems okay. Although it was written four years ago, you take heart in the fact it was based on BS:7799, a well-known and solid international standard. You flip through the spreadsheets from the Windows group outlining their build process. You glance over these highly organized spreadsheets of controls. Each line has a simple statement like "Password length" and then some technical info. You look through the security hardening script the Unix group gave you. Although you don’t understand each line, you are encouraged with such an efficient automated method of implementing technical controls. Of course, the mainframe team gave you two binders. Their material starts with a RACF operations manual, circa 1989, and ends with a huge print out of the group profiles on the mainframe. The network team only gave you a Visio diagram of the network topology but there hasn’t been a network outage in over 8 months. You silently encourage yourself again.

The auditors walk in. (You hear the Darth Vader theme in your head as they gather around the table). You smile and begin pushing the documents toward them. Then your world slowly disintegrates - along with your hope of a quick and easy audit.

"Hmmm..BS:7799. That’s a good start but we will be using the newly released 2005 version of ISO:17799 for our gap analysis against your policy."

"Solid Windows controls. Do you know how these map against COBIT? We will be using COBIT for our operating system analysis."

"This looks like a good Solaris Unix hardening script. What do you do about the Red Hat Linux machines you have started using as web servers? Or the AIX servers that house the DB2 database for the order entry system?"

"1989? Isn’t that a coincidence? I graduated from grade school that year."

"Since you don’t have any network device standards, we will only have to pull the configs from these four border routers, the firewall rules on these two external facing firewalls, the two firewalls inside the DMZ, the 15 routers at the warehouse sites and of course, all of the firewall rules from the firewalls between corporate and your 32 remote sites. Our network guy will be here tomorrow so as soon as you can get those, we will need them."

Hopefully, this scenario isn’t too familiar to you. But at some point, many companies have faced this challenge. What would have resulted from this simple walkthrough was an incredibly hectic audit schedule with time and money being spent on testing devices, answering questions, retesting, remediation, more testing and more questions culminating in a not-so-stellar audit report.

While this scenario may seem a bit outlandish, it is not uncommon for companies to struggle with coordinating efforts in these areas. With the recent focus on Sarbanes Oxley preparation, companies have come a long way in documenting controls. Standardization of controls, for both internal compliance efforts and external audits, has become a must-have in today’s IT world. If it isn’t the external auditors performing audits, there are still many other compliance requirements companies face. Management wants to know how the company is situated against HIPAA or what the company is doing to protect information on backup tapes. These questions are triggered by everything from a story on CNN or an inquiry from the internal general counsel faced with some litigation. Only with vigilance and preparation can CIOs, CSOs and CISOs be ready with the answers to these questions.

The ROI of Brabeion Compliance Center

Regardless of the context - regulatory compliance or an audit - policy is considered step one in any security and compliance program. Even though all of the regulations are ambiguous in many areas, one area that they are all explicit about is policy. Policy is an important aspect of management processes that auditors look at. Companies must set policy, communicate requirements and educate their employees on the prudent manner to handle, secure or disseminate information. Brabeion Compliance Center eases the burden of policy management and brings a definitive return on investment to any company seeking to improve the efficiencies and effectiveness of their compliance program.

Start with the best content

In our fictitious scenario above, there were some positives for our beleaguered protagonist. His security policy was based on an internationally recognized standard and his Windows and RACF team had documented technical control information. However, his downfall was the relevancy of the content and the consistency.

Companies struggle with keeping up-to-date with control information. Some companies have the luxury of deep technical resources to draw upon for knowledge and experience. However, those same resources are the ones that are generally keeping the business moving forward. It isn’t necessarily the best use of your top notch Unix guru’s time to be culling through security mailing lists and discussion forums to stay on top of the latest technical vulnerabilities. Additionally, many very talented technical people don’t think in the mindset of controls. If their job is to keep the systems up and running, then controls and what the auditors or regulations expect are not top of mind.

Companies can spend between 100 - 200 hours of time per year managing control content for each technology in their environment. Added up across the enterprise, this effort can be a substantial drain on resources. The kicker is that this is time spent away from moving the business forward - implementing new technologies, driving critical IT services, expanding markets.

Brabeion Compliance Center is built on a substantial, comprehensive library of control information. It is control content written by controls-minded people. Just having the baseline library for your technical people to reference saves time and effort. Your focus can be on taking that information and making it relevant to your business, your technology and your operations.

Put it all in one place

Our hero spent several weeks pulling together information in our opening scene. The formats were all different with the only common denominator between the information was that it could be printed out and put in binders. This format is hardly conducive to communication to a small audit team much less a large enterprise.

With Sarbanes Oxley, many companies have built a collection of controls that sits somewhere between the internal audit function and the IT department. However, this valuable collection of controls is neither comprehensive for the full company nor easily transferable to other regulatory compliance requirements. Centralization of control information is a must for a consistent approach across any enterprise. Along with centralization, applying a consistent methodology in development of policies, standards and controls improves usability. Centralization eases modes of communication and allows the company to disseminate information much quicker.

Companies make many stops on the path to an organized policy and control management infrastructure. Spreadsheets, PDFs and Word documents are usually the first stop along the way. These methods may help with information collection but leave much to be desired as a communication medium. The next stop is intranets and websites. These methods improve communication methods and may add some search capabilities but still rely on static documents for content limiting content flexibility and management. Internally developed solutions or other content management applications are then looked to fill the gaps and turn static documentation into a living infrastructure. The result is either a costly development project or fitting security and control information into a system that isn’t designed to meet the requirements.

Brabeion Compliance Center is designed to be the "one-stop" shop for security and control information. With its web based interface, it is specially designed to meet the requirements of security and compliance professionals while providing an intuitive portal for end users seeking to find information. Brabeion Compliance Center has been developed over the past several years specifically to meet the communication needs of organizations.

Pull the pieces apart and then put them back together

Documenting policies and controls is just the first step. As our leading man found out, auditors may use several benchmarks to analyze the controls environment. Additionally, each regulation that a company must comply with has a special focus. How many organizations can frame their internal controls in the context of COBIT, HIPAA, ISO:17799 or any other regulation or control framework without a major analysis effort? Therefore, it is crucial to put together the documentation in a manner that is flexible and manageable.

Connection to specific regulations and control frameworks is just the first step. Policy cannot stop at a high level but drive down to the detailed controls level if the company wants a truly efficient and effective controls and risk management process. Additionally, policies, standards and controls may be applied differently to different pieces of the organization. Finally, the employees that are responsible for implementing controls must be able to weed through all of the requirements and get to the information they need. It is for these reasons that a simple content management process or format is not sufficient for today’s compliance programs. It takes a tool designed to meet these requirements with the built-in intelligence to move a compliance program forward.

Brabeion Compliance Center is built with these needs in mind. With its flexible and unique information model, Brabeion Compliance Center can get from regulation to control easily. The framework puts your organization in control of its content with an intelligent and thoughtful design. IT security administrators, IT administrators, compliance teams and internal audit can get on the same page using BCC’s functionality.

The Bottom Line

Audits, whether internal or external, require effort and time from IT resources. No tool can, or should, eliminate the critical interaction between IT and the auditors. Audits provide a key business function and give an external perspective on IT processes and controls. However, proper preparation will reduce the amount of effort and improve the quality of the interaction and the time spent on the audit.

Ask yourself these questions to consider the impact Brabeion Compliance Center would have to your organization:

  • How much time did it take to organize control information for the last audit?

  • Do you feel you spend too much time explaining your processes, practices or controls to the auditors?

  • Do you feel that your personnel are educated on the policies and standards and are prepared for audits?

  • Do you feel the auditors expend too much effort on testing rather than examining standards and control documentation and communication?

  • Do you feel your policies, standards and controls are "validated" in the eyes of the auditors?

  • What benchmarks do your auditors use ("best practices", control frameworks, specific regulations)?

  • Can you quickly and easily demonstrate the connection between your policies and standards with well-known control frameworks or specific regulations?

  • What were the findings of your last security program audit?

In an alternative universe

The reminder pops up on your computer screen. Oh yeah, you think, the auditor walkthrough is today. You walk to the conference room, plug in your laptop to the projector and patiently wait for the auditors. In a few minutes, they enter and spread out around the table. You smile and begin…

"Our controls framework is captured in a compliance knowledge management system called the Brabeion Compliance Center, or BCC. It sits on our Intranet and is available to all employees. We have developed customized controls based upon a library of policies, standards and controls from PricewaterhouseCoopers within that tool. These controls gave us a great baseline to start with and we customized them for our environment. All of our technical controls are consistently documented - we have controls documented for all of our major operating systems, databases and network devices.

Within BCC, we have mapped all standards to regulations and our controls. The tool again gave us a baseline to start with and we tailored that to fit our business. Since you may want to see what controls we have identified for specific regulations or in the context of COBIT, ISO:17799 or NIST 800-53, you can run reports for that view of our policies and standards or for any of the technologies.

We have verified these controls with internal audit. Internal audit was part of the project team reviewing and customizing this content. Therefore, our internal IT audit activities are aligned with these controls as well - they build compliance checklists from this system as well to perform system assessments just as our IT teams build implementation checklists for new system implementations.

The content is updated within the system every quarter. We get a feed of this information from Brabeion. We then review these updates, make any modifications that we need for our environment and publish out the updates through this centralized tool. We can email notifications to relevant groups within IT so we get the word out quick on changes. Additionally, if we find that general employees need to acknowledge any policies, we create an awareness campaign around those policies and use BCC to communicate and track acknowledgement of policy.

I took the liberty of creating some read only accounts for you to review the content. Please let me know if you have any questions."

You bring up BCC and give a run through off the basic functions. You smile at the audible gasp of appreciation…

To Continue to Part II - Click Here

About Brabeion Software

Brabeion Software is the expert in enabling regulatory compliance for information and risk management. We help organizations achieve and sustain compliance through a full lifecycle policy, standards and IT control management software platform powered by comprehensive information risk and audit content developed and maintained by PricewaterhouseCoopers LLP. Over 300,000 users have deployed Brabeion solutions to accelerate time to compliance, protect information assets and mission-critical systems, lower costs, and optimize IT controls. Brabeion Software is successfully deployed across a wide range of vertical markets including Financial Services, Oil and Gas, Healthcare, Pharmaceutical, Government and Transportation.

Any technical information that is made available by Brabeion Inc. is the copyrighted work of Brabeion Inc. and is owned by Brabeion Inc. NO WARRANTY. The technical information is being delivered to you as-is and Brabeion Inc. makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user.

Visit the Authors Web Site

Website URL:

Your Name:
Company Name:

Inquiry Only - No Cost Or Obligation

 3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star

Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description

Home    Calendar    The Business Forum Journal     Features    Concept    History
Library     Formats    Guest Testimonials    Client Testimonials    Experts    Search
News Wire
       Join Why Sponsor     Tell-A-Friend      Contact The Business Forum

The Business Forum

Beverly Hills, California, United States of America

j[email protected]  

Graphics by:  DawsonDesign



Copyright The Business Forum Institute. - 1982 - 2009