impossible for ideas to compete in the marketplace if no forum for
IT Regulatory Compliance & Risk Management
Contributed by: Brabeion Software, Inc.
It is audit day! The external auditors are scheduled to perform their walkthrough in two hours before moving into the testing phase. You sit in the conference room readying yourself and organize your notes and binders one last time. With a sigh of relief that the hard part is over, you think of the busy last three weeks you have spent collecting information for the meeting. This year you are going to head them off at the pass so they donâ€™t have to run around the company for weeks bothering all of the Ops people with requests. Armed with your handy list of documents you think the auditors will be interested in, you run through the collection of paper on your desk.
First, you check to make sure your print out of the security policy printed properly. You hadnâ€™t printed it since last year but it seems okay. Although it was written four years ago, you take heart in the fact it was based on BS:7799, a well-known and solid international standard. You flip through the spreadsheets from the Windows group outlining their build process. You glance over these highly organized spreadsheets of controls. Each line has a simple statement like "Password length" and then some technical info. You look through the security hardening script the Unix group gave you. Although you donâ€™t understand each line, you are encouraged with such an efficient automated method of implementing technical controls. Of course, the mainframe team gave you two binders. Their material starts with a RACF operations manual, circa 1989, and ends with a huge print out of the group profiles on the mainframe. The network team only gave you a Visio diagram of the network topology but there hasnâ€™t been a network outage in over 8 months. You silently encourage yourself again.
The auditors walk in. (You hear the Darth Vader theme in your head as they gather around the table). You smile and begin pushing the documents toward them. Then your world slowly disintegrates - along with your hope of a quick and easy audit.
"Hmmm..BS:7799. Thatâ€™s a good start but we will be using the newly released 2005 version of ISO:17799 for our gap analysis against your policy."
"Solid Windows controls. Do you know how these map against COBIT? We will be using COBIT for our operating system analysis."
"This looks like a good Solaris Unix hardening script. What do you do about the Red Hat Linux machines you have started using as web servers? Or the AIX servers that house the DB2 database for the order entry system?"
"1989? Isnâ€™t that a coincidence? I graduated from grade school that year."
"Since you donâ€™t have any network device standards, we will only have to pull the configs from these four border routers, the firewall rules on these two external facing firewalls, the two firewalls inside the DMZ, the 15 routers at the warehouse sites and of course, all of the firewall rules from the firewalls between corporate and your 32 remote sites. Our network guy will be here tomorrow so as soon as you can get those, we will need them."
Hopefully, this scenario isnâ€™t too familiar to you. But at some point, many companies have faced this challenge. What would have resulted from this simple walkthrough was an incredibly hectic audit schedule with time and money being spent on testing devices, answering questions, retesting, remediation, more testing and more questions culminating in a not-so-stellar audit report.
While this scenario may seem a bit outlandish, it is not uncommon for companies to struggle with coordinating efforts in these areas. With the recent focus on Sarbanes Oxley preparation, companies have come a long way in documenting controls. Standardization of controls, for both internal compliance efforts and external audits, has become a must-have in todayâ€™s IT world. If it isnâ€™t the external auditors performing audits, there are still many other compliance requirements companies face. Management wants to know how the company is situated against HIPAA or what the company is doing to protect information on backup tapes. These questions are triggered by everything from a story on CNN or an inquiry from the internal general counsel faced with some litigation. Only with vigilance and preparation can CIOs, CSOs and CISOs be ready with the answers to these questions.
The ROI of Brabeion Compliance Center
Regardless of the context - regulatory compliance or an audit - policy is considered step one in any security and compliance program. Even though all of the regulations are ambiguous in many areas, one area that they are all explicit about is policy. Policy is an important aspect of management processes that auditors look at. Companies must set policy, communicate requirements and educate their employees on the prudent manner to handle, secure or disseminate information. Brabeion Compliance Center eases the burden of policy management and brings a definitive return on investment to any company seeking to improve the efficiencies and effectiveness of their compliance program.
Start with the best content
In our fictitious scenario above, there were some positives for our beleaguered protagonist. His security policy was based on an internationally recognized standard and his Windows and RACF team had documented technical control information. However, his downfall was the relevancy of the content and the consistency.
Companies struggle with keeping up-to-date with control information. Some companies have the luxury of deep technical resources to draw upon for knowledge and experience. However, those same resources are the ones that are generally keeping the business moving forward. It isnâ€™t necessarily the best use of your top notch Unix guruâ€™s time to be culling through security mailing lists and discussion forums to stay on top of the latest technical vulnerabilities. Additionally, many very talented technical people donâ€™t think in the mindset of controls. If their job is to keep the systems up and running, then controls and what the auditors or regulations expect are not top of mind.
Companies can spend between 100 - 200 hours of time per year managing control content for each technology in their environment. Added up across the enterprise, this effort can be a substantial drain on resources. The kicker is that this is time spent away from moving the business forward - implementing new technologies, driving critical IT services, expanding markets.
Brabeion Compliance Center is built on a substantial, comprehensive library of control information. It is control content written by controls-minded people. Just having the baseline library for your technical people to reference saves time and effort. Your focus can be on taking that information and making it relevant to your business, your technology and your operations.
Put it all in one place
Our hero spent several weeks pulling together information in our opening scene. The formats were all different with the only common denominator between the information was that it could be printed out and put in binders. This format is hardly conducive to communication to a small audit team much less a large enterprise.
With Sarbanes Oxley, many companies have built a collection of controls that sits somewhere between the internal audit function and the IT department. However, this valuable collection of controls is neither comprehensive for the full company nor easily transferable to other regulatory compliance requirements. Centralization of control information is a must for a consistent approach across any enterprise. Along with centralization, applying a consistent methodology in development of policies, standards and controls improves usability. Centralization eases modes of communication and allows the company to disseminate information much quicker.
Companies make many stops on the path to an organized policy and control management infrastructure. Spreadsheets, PDFs and Word documents are usually the first stop along the way. These methods may help with information collection but leave much to be desired as a communication medium. The next stop is intranets and websites. These methods improve communication methods and may add some search capabilities but still rely on static documents for content limiting content flexibility and management. Internally developed solutions or other content management applications are then looked to fill the gaps and turn static documentation into a living infrastructure. The result is either a costly development project or fitting security and control information into a system that isnâ€™t designed to meet the requirements.
Brabeion Compliance Center is designed to be the "one-stop" shop for security and control information. With its web based interface, it is specially designed to meet the requirements of security and compliance professionals while providing an intuitive portal for end users seeking to find information. Brabeion Compliance Center has been developed over the past several years specifically to meet the communication needs of organizations.
Pull the pieces apart and then put them back together
Documenting policies and controls is just the first step. As our leading man found out, auditors may use several benchmarks to analyze the controls environment. Additionally, each regulation that a company must comply with has a special focus. How many organizations can frame their internal controls in the context of COBIT, HIPAA, ISO:17799 or any other regulation or control framework without a major analysis effort? Therefore, it is crucial to put together the documentation in a manner that is flexible and manageable.
Connection to specific regulations and control frameworks is just the first step. Policy cannot stop at a high level but drive down to the detailed controls level if the company wants a truly efficient and effective controls and risk management process. Additionally, policies, standards and controls may be applied differently to different pieces of the organization. Finally, the employees that are responsible for implementing controls must be able to weed through all of the requirements and get to the information they need. It is for these reasons that a simple content management process or format is not sufficient for todayâ€™s compliance programs. It takes a tool designed to meet these requirements with the built-in intelligence to move a compliance program forward.
Brabeion Compliance Center is built with these needs in mind. With its flexible and unique information model, Brabeion Compliance Center can get from regulation to control easily. The framework puts your organization in control of its content with an intelligent and thoughtful design. IT security administrators, IT administrators, compliance teams and internal audit can get on the same page using BCCâ€™s functionality.
The Bottom Line
Audits, whether internal or external, require effort and time from IT resources. No tool can, or should, eliminate the critical interaction between IT and the auditors. Audits provide a key business function and give an external perspective on IT processes and controls. However, proper preparation will reduce the amount of effort and improve the quality of the interaction and the time spent on the audit.
Ask yourself these questions to consider the impact Brabeion Compliance Center would have to your organization:
In an alternative universe
The reminder pops up on your computer screen. Oh yeah, you think, the auditor walkthrough is today. You walk to the conference room, plug in your laptop to the projector and patiently wait for the auditors. In a few minutes, they enter and spread out around the table. You smile and begin…
You bring up BCC and give a run through off the basic functions. You smile at the audible gasp of appreciation…
About Brabeion Software
Brabeion Software is the expert in enabling regulatory compliance for information and risk management. We help organizations achieve and sustain compliance through a full lifecycle policy, standards and IT control management software platform powered by comprehensive information risk and audit content developed and maintained by PricewaterhouseCoopers LLP. Over 300,000 users have deployed Brabeion solutions to accelerate time to compliance, protect information assets and mission-critical systems, lower costs, and optimize IT controls. Brabeion Software is successfully deployed across a wide range of vertical markets including Financial Services, Oil and Gas, Healthcare, Pharmaceutical, Government and Transportation.
Any technical information that is made available by Brabeion Inc. is the copyrighted work of Brabeion Inc. and is owned by Brabeion Inc. NO WARRANTY. The technical information is being delivered to you as-is and Brabeion Inc. makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user.
Visit the Authors Web Site
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business