Creating a Culture of Compliance
The Responsibility of Every Member of an Organization
by Suzanne Dickson
With the most sweeping legislation regulating corporate governance and financial disclosure since the 1930s, the passage of the Sarbanes-Oxley Act (SOX) in 2002 hailed a new era of regulatory compliance for publicly traded companies in the U.S. and throughout the world. But SOX is only a part of the new compliance equation.
The growing importance of information technology has made privacy and information security critical issues, leading to the passage of other major regulations, such as HIPAA, the Gramm-Leach-Bliley Act, FISMA, and California's SB 1386.
In fact, a recent survey by the Security Compliance Council revealed that three out of four organizations must comply with two or more regulations, and nearly half (43 percent) must comply with three or more regulations. Moreover, organizations spend an average of 34 percent of their IT resources on activities devoted to satisfying security compliance for multiple regulations.
Yet, only a small fraction of organizations are able to demonstrate IT security compliance. Why?
Compliance Starts at the Top
Too often businesses view and treat regulatory compliance as a separate activity rather than understand how to incorporate compliance into their day to day business operations. It's a common misstep companies make when evaluating their compliance strategy.
The problem is compounded when compliance reviews are restricted to small groups such as the board of directors, auditors, and select senior management. This limited involvement often translates to limited effectiveness.
Instead, if viewed properly, regulatory compliance-based measurements and controls can be used to identify and improve inefficient internal business and technology controls-on a continuous basis. This requires commitment and cooperation among several areas of the organization including business owners, finance, IT, HR, senior management, and the board. By combining regulatory compliance activities with business process improvement programs, organizations can maximize the return on their efforts.
Moreover, by involving multidisciplinary teams of individuals from key departments-from finance to IT, legal, HR, and more-businesses can create a compliance committee better suited o represent the interests and abilities of the entire organization and work effectively within their own departments to drive change.
Understanding this commitment and cooperation designates a shift in viewing regulatory compliance as the means to an end, another strategic component that helps deliver on the organization's overall mission of seeing good governance, improved business operations, enhanced profit margins, and increased market share.
The Advantage of Automation
The proximate and pressing nature of demonstrating compliance has prompted more than one-fourth (27 percent) of businesses to leverage homegrown, manual methods such as spreadsheets, according to the Security Compliance Council. While the low cost of implementation of this approach is initially appealing, its limitations become clear as organizations struggle with scalability and reliability over time. Even the simplest of tasks, such as gathering evidence to show compliance, become the most time-intensive tasks to perform with manual controls in place.
Yet, the Security Compliance Council study revealed that compliance leaders-those who perform at least one audit per month-have an astounding 15 times fewer deficiencies than the industry laggards, who perform audits an average of once every eight months. However, the leaders have doubled their IT budget on compliance and nearly tripled their budget towards security because they lack automation.
The fact is that it is virtually impossible to efficiently correlate business requirements with regulations and policies without an automated toolset along with analysis and remediation, auditable processes, and ongoing management and monitoring. And many organizations understand that. So, with manual methods proving unwieldy and cumbersome, many organizations are accelerating the use of automation in IT and IT-enabled business functions to help demonstrate compliance more cost-effectively and efficiently. The goal of these organizations is to comply with regulatory requirements more cost effectively, so that they can allocate IT resources to more productive pursuits.
Implementing an automated, consistent, and repeatable process for testing, measuring, correcting, and reporting on the state of IT-related security controls can result in continual performance improvement.
Having the Right Tools
Technology makes identifying IT security and risk easier. Technology helps evaluate mission-critical applications and operating systems, while intelligently assessing and reporting deviations in areas such as password strength, default accounts, user rights and permissions, and vulnerability and patch status.
Several tools are available to help streamline the process of compliance, and the benefits stemming from these tools are:
- Automated Policy Management: Define, create, and disseminate policies and track user acceptance or waivers. Because many companies are impacted by more than one mandate, a growing number of these tools map policies to multiple frameworks, standards, and regulations that can be traced back to specific business requirements.
- Automatic Threat Detection: Automatically identify and prioritize security threats that affect business-critical applications.
- Compliance Assessment and Reporting: Integrate data from a variety of sources through a single interface to enable organizations to demonstrate due care towards achieving IT policy compliance. Others report gaps in coverage of key regulations and frameworks automatically, while other tools capture and report on user acceptance and waivers to policies.
- Governance: Streamline the compliance and performance-improvement environment.
- Managed IT Controls: Assess and manage IT technical controls eased through tools that establish baseline configurations for all major operating systems and identify exceptions to configuration standards.
- Routine Control Deficiencies: Establish, test, measure, and remediate control deficiencies through technology tools. A growing number of these tools also leverage global networks of Internet activity sensors as well as security personnel to enable proactive response to fast-moving and sophisticated threats.
These toolsets help make efficient and cost-effective work of meeting the complex requirements of regulatory compliance and drive repeated performance gains across the organization by setting up automatic procedures for policies and standards, gathering evidence, and maintaining and protecting IT assets and data.
Ensuring End-user Compliance
Finally, unless users are aware of corporate policies, they cannot be expected to follow them; and if they are not held accountable for their adherence to policies, they are unlikely to heed them. Therefore, the value of user awareness, education, and adherence in meeting regulatory compliance requirements is critical, because any lack of adherence can, in turn, lead to a potentially costly data breach. The cumulative impact of increased user awareness through automation is often a significant parallel decrease in the likelihood of deficiencies in complying with policies.
Today's enterprises need to evolve their compliance efforts from ad hoc projects to cost-effective and efficient processes that can be applied across various compliance initiatives involving the security and availability of information. The key is to involve a cross-section of key personnel in the organization's policy compliance committee, implement automated and repeatable processes, and ensure adherence to policy, thus helping organizations meet regulatory requirements, improve operating results and ensure continuous business improvements.
About the Author
Suzanne Dickson is director of Compliance and Security Management Solutions at Symantec Corp.
© Copyright 2007-2008 Auerbach Publications