Compliance: Ahead of the game
- Article 10 of 33
- SC Magazine, June 2007
Don't sit around waiting for the next piece of legislation. It's better to be adaptable and make general compliance your aim. Rob Buckley reports.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
Unisys, for example, offers a benchmarking tool, originally developed for its own use, that requires its users to answer questions about what processes are in place in their organisations and how mature these are. The tool will then flag up areas where the organisation is non-compliant.
“If you are a CSO or a risk manager and you do not know where the risks are, your only function in the organisation is to be blamed if things go wrong,” says Gerhard Knecht, security director and CSO, global outsourcing and infrastructure services, at Unisys. He also argues that it's more important to know where weaknesses are than to fix them immediately. “If the CSO focuses on the things that are wrong, this can escalate the change-management process.”
Again, GRC benchmarking tools rarely cover the actual technology needed to be compliant, mainly because the legislation itself doesn't spell out these matters. However, some do: banking regulations typically require two-factor authentication for all bank employees. And the latest versions of the PCI rules are probably the most prescriptive about technology. Among a host of security requirements, these spell out firewall standards and frequency of penetration testing; they also mandate two-factor authentication for remote access and web-facing custom application code to be reviewed for common vulnerabilities if there is no web application firewall, for example.
ISO standards
But these are the exceptions. In lieu of detailed technical requirements, many organisations and consultancies look to other, optional compliance guidelines that are more geared to information security. In particular, ISO 17799 and 270001, COBIT and ITIL offer the gold standards in IT security technology and processes: if an organisation is certified to one of these standards, it will almost certainly be well on the way to passing an audit under higher-level compliance legislation.
Here, GRC tools can be more helpful. Companies such as IT Governance offer ISO 270001 workflow engines designed to monitor processes and help achieve compliance under the standard.
One thing is certain: companies will need to have threat protection, such as firewalls and anti-virus software; risk management; intrusion detection or prevention systems, plus access controls for logging on to organisation resources.
Indeed, identity-management systems are probably the one piece of technology all consultants agree is useful for compliance purposes. Mark Jones, associate partner and head of business risk and security services at Atos Origin, says: “Identity management offers many benefits, but crucially allows you to the beginnings of atomic-level permissions.” Maintaining an audit trail is far easier with a single sign-on system and restricted permissions in place.
Regardless of how the organisation obtains its compliance information, the next step is finding out what needs to be done in order to meet the requirements. Benchmarking or risk-analysis tools such as the one from Unisys are one way of taking stock of existing processes. A range of process-mapping tools is also available. “Anything that can map processes in an efficient way will help implement compliance technically,” says Jones.
This is also where more advanced GRC tools, such as French firm Mega's GRC platform, can come in useful. These include mapping tools, but they can also consist of business process management or business rules engines for the automation of business processes.
External requirements
“Policies and controls are central to operational risk and compliance,” says Forrester's Rasmussen. “The first thing a regulator or auditor wants to see is how the organisation has defined its adherence to external requirements.” Workflow and collection capabilities allow the organisation to assess the state of controls; risk analytics, modelling and reporting functions enable managers to assess the state of risk and compliance, and investigations management facilitates central management of investigations and aggregate information.
How many of these features an organisation needs depends on the number of regulations it is subject to, as well as on its size and complexity. But Rasmussen predicts that organisations will increasingly move towards a single view of risk and compliance oversight.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages