"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

Digging Deep

You reach your desk in the morning and confront the stack of audit papers on your desk.  You scratch your head - which audit is this again?  Oh yeah, one of your key business partners is asking for a demonstration of compliance to their security standards. The relationship represents millions of dollars in investment and business potential.  Yesterday they went through your internal documentation.  The review was successful, although somewhat painful.  The security policy held up to their scrutiny, the spreadsheets of controls from the technical groups satisfied their technical reviews and now it is time to dig in deep - look at the actual systems connecting your internal network to theirs and demonstrate compliance levels.  Since data is shared between the two companies, there are a handful of systems, along with periphery systems that are in the scope of the agreement.  Armed with your handy list of documents you think the auditors will be interested in, you run through the collection of paper on your desk. 

First, you check to make sure you’re the network scans of the internal systems printed out properly.  The scan hit the major systems in the scope of the audit highlighting network based vulnerabilities.  The scanner spits out great technical information, ranking vulnerabilities in concise reports.  Luckily the systems are spread out into three subnets, so the reports are only a couple of hundred pages.  It only took you four hours to put in the sticky tabs for the systems you are interested in.  The next stack of paper is the output of host configuration tools on the systems.  The results show the level of compliance to templates you created as baselines in the assessment tool.  The systems look pretty good; the result of some last minute fixes over the past two weeks.  Unfortunately, some of the issues weren’t discovered until last week and the systems’ downtime window had passed.  You have dutifully noted which issues were going to be resolved on the next operations cycle.  Again, more sticky notes and another four hours of prep time.  Next to the pile of configuration reports is the Exceptions binder.  This binder holds papers documenting the systems that are unable to meet some requirements due to some business and technical restrictions.  You had the system administrators document these and get sign off from the business owners of the systems.  The binder was updated again as a result of a several meetings with the administrators.  These meetings fit nicely into your compact schedule over the last two weeks.  You were looking to lose a few pounds so those missed lunches were acceptable.

The auditors walk in with cheerful anticipatory faces.  They mention how well the documentation looked and are glad their last two days reviewing all those documents are complete. Then your world slowly disintegrates - along with your hope of a quick and easy audit. 

“Great, network scans.  Is there a quicker way to get to our systems of interest without paging through all of these sticky tabs?  It seems when I picked up the binder quite a few fell out.”

“The configuration reports will be helpful.  Is there a cross reference to the control documentation you provided yesterday so we can map controls to results?”

“You have a good security policy.  One of our metrics is how well your people understand the policy.  Do you have any acknowledgement from the employees that administer our systems on our requirements?”

“One of the key things we look for is the implementation of process controls in system maintenance and operations.  How do you measure compliance of your process controls outlined in the policy?”

“Also, we like to measure our partners against the ISO:17799 framework.  Your policy appeared to meet those requirements after our review.  We would like to measure your infrastructure and the overall control environment in that same context.  Since we don’t have a mapping already, looks like we have some work ahead of us.”

You get ready to roll up your sleeves and your cell phone rings.  It is another of your business partners scheduling a similar audit, across different systems though, next week.  You groan and open your calendar on your PDA.  While you begin to schedule meetings, you say to yourself, “A couple more skipped lunches won’t hurt my waistline.”

This scene is becoming an increasingly familiar routine for companies.  Between external audits, SOX audits, regulatory audits such as Visa’s PCI audits and business partner audits, many companies are facing the challenge of being under an almost continuous audit cycle.  The issue is each audit has different scopes - different systems, different requirements, different timeframes.  The results can be an incredibly hectic audit schedule with time and money being spent on testing devices, answering questions, retesting, remediation, more testing and more questions culminating in sometimes a not-so-stellar audit report.

While the scenario above may seem a bit simplistic, many companies struggle with coordinating efforts to satisfy compliance and business partner requirements in an efficient manner.  With the recent focus on Sarbanes Oxley preparation, companies have come a long way in documenting controls and standardizing on control environments.  Responding to a business partner audit or compliance review is just another of the many facets of a compliance program.  Compliance programs must be flexible enough to meet a variety of demands in today’s business world.  Only with vigilance and preparation can CIOs, CSOs and CISOs be ready with the answers to these challenges.

The ROI of Brabeion Compliance Manager

Regardless of the context - regulatory compliance or an audit - policy is considered step one in any security and compliance program.  As we saw in Part One of this series, Brabeion Compliance Center eases the burden of policy management and brings a definitive return on investment to any company seeking to improve the efficiencies and effectiveness of their compliance program.  Brabeion Compliance Manager extends that infrastructure into clear measurement of compliance across the enterprise incorporating people, process and technology.  The key is to measure the compliance state against your documented policy and controls and having the flexibility to present the data in the proper context for the audit.

Base measurement on internal policy

In our fictitious scenario above, there were some positives for our beleaguered protagonist.  His security policy and control documentation measured up to the audit requirements.  A strong documentation base is the first step in creating a solid controls environment. The auditor can review this content to gain an immediate understanding of the level of control in the environment. However, his downfall was the inability to put compliance state in the context of this documentation.

Companies struggle with measuring current state directly against internal policy.  The issue resides in the fact that internal policy is not structured to map compliance results to control requirements efficiently.  If the control requirements, as defined in policy, standards or controls, are lumped into documents for communication, they can not be dissected into bite-size chunks for compliance measurements.   Additionally, the technology that makes up the infrastructure measuring compliance is not designed to synchronize with internal policy.  Most assessment technologies are based on templates defined internally and specific to the assessment capabilities.

Companies can spend considerable time bridging the gap between measurement technology and internal policy.  First, templates and technical configurations of the compliance technology must be configured to meet internal requirements.  Secondly, results coming from the assessment technology must be either cross referenced manually or results are presented ‘as-is’ with a loose connection to the internal policy.  Neither approach is optimal or efficient.  The results either leave gaps and a layer of interpretation or require investing considerable resources and time away from other business activities to map content and compliance.

Brabeion Compliance Manager works together with Brabeion Compliance Center to provide the connection between policy and compliance state.  Measurement of compliance status within Brabeion Compliance Manager is not presented in a disconnected interpretation but clear association between internal policy and the actual compliance state utilizing the relationships built in Brabeion Compliance Center.  Reporting within Brabeion Compliance Manager meets both administrative and management requirements - providing detailed technical results as well as management views.  Built in functions for resolution tracking and exception processing further extend the management system and streamline audit preparation and remediation efforts.

Know your scope

Our hero spent several weeks pulling together information in our opening scene.  Network scans, configuration reports, exception documentation and remediation schedules provide an abundance of data.  The difficulty lies in creating information in a format easily produced and conducive to communication to an audit team.  Additionally, given that each audit might have a different scope - both in requirements and systems and processes - every audit compounds the amount of information necessary to demonstrate compliance.

The first component of scope is the specific assets in question.  Audits based upon regulatory requirements (SOX, HIPAA, PCI, etc.) are specific to assets for a specific business purpose (financial reporting, healthcare information processing, credit card processing, etc).  Compliance reviews for business partners are similar and typically are focused on a subset of the assets directly related to the business relationship.   Asset management is a challenge for any enterprise.  Adding to this challenge is the requirement to identify systems and logical assets (databases, applications, etc.) for audit purposes. 

The second component of scope is the specific requirements.  Audits are either measured directly against the requirements defined in the regulation, such as PCI audits, or measured against some framework such as ISO:17799 or COBIT.  Business partner audits could be defined by requirements in Service Level Agreements (SLAs) or a framework, or both.  Identifying these requirements is an element of policy management; measuring against these requirements is a component of compliance operations; demonstrating compliance in the context of these requirements is a function of compliance reporting.  Balancing requirements across multiple audits is obviously a challenge for many organizations.

Brabeion Compliance Manager is designed to help organizations manage these complex scopes.  Assets can be tagged with multiple regulations and frameworks to focus reporting.  To connect the assets to requirements, integration into Brabeion Compliance Center is critical.  With its web based interface, Brabeion Compliance Manager is specially designed to meet the requirements of auditors while providing an intuitive portal for IT operations and security administrators managing the process.

Cover People, Process and Technology

Documenting technical compliance is just the first step.  As our leading man found out, auditors are interested in areas outside the detailed technical configurations.  How well people understand requirements and how well controls are integrated into processes are critical components of control environments.  These facets of the organization are absolutely integral to demonstrating compliance to requirements.  Demonstration of technical compliance is only one piece of the puzzle.  Therefore, it is crucial to put together the compliance program that encompasses people, process and technology.

Policy and controls cover broader terms than just technology - therefore, measuring compliance should cover the same breadth.  Compliance Programs must measure compliance across a combination of people, processes and technologies. Anything less than that does not give the full picture.  A purely technical perspective will fall short to meeting audit needs.  Measurement and articulation of people and process controls is more than an ‘added’ benefit to the compliance story; it is an absolutely necessary point to include. 

Brabeion Compliance Manager is built with these needs in mind.  With its flexible approach, it measures compliance for all aspects of compliance - people, process and technical controls.  Brabeion Compliance Manager’s integration into assessment technologies provides the infrastructure to gather and articulate technology compliance levels.  Integration into Brabeion Compliance Center provides additional functions for the definition of controls for people and processes and the ability to gather compliance status.

The Bottom Line

Managing multiple audits with multiple objectives across a disparate, heterogeneous environment is, in short, no picnic.  The audit response process requires effort and time from IT resources, coordination with internal operational groups and a method to demonstrate current compliance state.  An operational compliance process - dealing with compliance state on a day-to-day basis - reduces audit preparation time and is much more likely to catch issues before they can become problems.  No tool can eliminate the audit preparation - but the right tools can definitely reduce the amount of effort and improve the quality of the interaction with auditors and your reputation with your business partners.

Ask yourself these questions to consider the impact Brabeion Compliance Manager would have to your organization:

• How much time did it take to organize and document control status for the last audit?
   
• Do you feel you spend too much time identifying the assets in scope of the audit?
   
• Do you feel you spend too much time connecting the dots - policy, controls and current state?  Or do you have to leave those dots disconnected because of effort?
   
• Are the parties asking for your current compliance state increasing in number, scope or frequency?
   
• Do you feel your assessment technologies leave a gap in demonstrating compliance in the context of audit needs?
   
• Do you feel the auditors expend too much effort on testing rather than examining standards and control documentation and internal compliance management and testing processes?
   
• Do you juggle multiple audits, with multiple requirements and multiple timelines?
   
• Can you quickly and easily demonstrate the compliance state of your organization against your policies and standards and well-known control frameworks or specific regulations?
   
• Do you cover the three aspects of compliance - people, process and technology?
   
• What were the findings of your last security program audit?

In an alternative universe . . . .

The reminder pops up on your computer screen.  Time for the auditor detailed review.  You walk to the conference room, plug in your laptop to the projector and patiently wait for the auditors.  In a few minutes, they enter and spread out around the table.  You smile and begin . . . .

As you saw yesterday, our controls framework is captured in a compliance knowledge management system called the Brabeion Compliance Center, or BCC.  Today we are going to drill down into the specific assets related to this audit, review compliance levels, exceptions and any remediation efforts in process through the Brabeion Compliance Manager, or BCM.

Within BCC, we have mapped all standards to regulations and our controls.  BCM integrates directly with BCC and inherits all of the BCC relationships and content.  This means our compliance measurement is made directly against the policies, standards and controls we communicate to our employees.  As we showed yesterday, BCC has a complete mapping from regulatory requirements and control frameworks down to the technical control level.  BCM picks up from the technical controls and determines compliance state for those controls via various assessment technologies.

We have structured the assets within BCM geographically using major business units and operational groups as logical groups.  Within these groups we have identified individual logical assets.  Each asset can be tagged with a regulation or control framework for measurement.  Therefore, we can slice across the organization to get multiple views using different measuring sticks.

The compliance views allows us graphical reporting of compliance levels.  For instance, here is the compliance level of our North American operations. We can drill in a bit further into specific operational groups.  But first, let’s filter on those assets you are interested in.

You can see here that the compliance level - against your requirements - is sitting at 92% compliance.  You can also see we have an exception rate of 5% - we can view those in detail in a minute.  We can also look at our specific control failures and review the current status of remediation efforts.

Once we get past the technical platforms, we will begin reviewing the policy acceptance and acknowledgement evidence from our employees managing our systems related to this business partnership and the individual operational processes and their compliance states reported by process owners.”

You proceed to drill into compliance state, watching the looks of astonishment on their faces and thinking, “I can’t wait until next week when I get to astound another set of auditors…By the way, I wonder what the cafeteria is serving today.”

Brabeion Software is the expert in enabling regulatory compliance for information and risk management. We help organizations achieve and sustain compliance through a full lifecycle policy, standards and IT control management software platform powered by comprehensive information risk and audit content developed and maintained by PricewaterhouseCoopers LLP. Over 300,000 users have deployed Brabeion solutions to accelerate time to compliance, protect information assets and mission-critical systems, lower costs, and optimize IT controls. Brabeion Software is successfully deployed across a wide range of vertical markets including Financial Services, Oil and Gas, Healthcare, Pharmaceutical, Government and Transportation.

Visit the Authors Web Site