In-Depth

Compliance and Security, Part 2: Uniting Efforts

In the second of three parts, unifying security, compliance, and risk assessment get better results

• By Chris DeVoney
• 11/13/2007

No doubt your enterprise or institution is governed my multiple compliance regulations. The number of applicable regulations varies by the type organization, but as Scott Crawford, an analyst at Enterprise Management Associates, points out, some financial services companies are so heavily regulated that audits are scheduled on a rolling weekly basis.

In the early stages of wrestling with compliance requirements, enterprises and institutions scrambled with single-point solutions that usually addressed only the immediate regulatory needs. With experience and a maturing market, single-point solutions now appear counterproductive.

Crawford feels that the objective of the recent wave of compliance activity is directed at reducing the total cost of compliance. Enterprises want to go through the process and break out the compliance results for many regulations. He sees these solutions with end results that go beyond compliance and assess IT risk or report on IT governance.

Compliance is a multi-part process that includes asset discovery and identification, self-assessment surveys, policy distribution and attestation, operational instrumentation and monitoring, exception and deficiency identification and remediation tracking, and reporting. The ideal environment automates as much of the process as possible to reduce costs and nimbly meet compliance challenges.

Several companies offer products that address many or almost all of the pieces for an IT governance, risk-management, and compliance (GRC) effort. Among them are Agiliance, Archer, Brabeion, Centria, Control Path, Modulo, NetIQ, Relational Security, and Symantec.

Two players in the Fortune 2000/5000, banking markets and international enterprises, are Agiliance and Symantec.

Agiliance offers a comprehensive product aimed at firms that must respond to a myriad of regulations and governance issues. The product works as a common repository. It gathers asset information; helps author, coordinate, distribute, and track risk-assessment and compliance surveys; handles compliance attestations; and provides operational monitoring.

Its reporting extends from detailed views with items marked to sectors into each specific regulation or mandate to a CxO and boardroom dashboard that provides a simple red-green-yellow status report on current efforts.

Symantec provides a similar capability in its Control Compliance Suite (CCS) which gets an 8.6 point-release bump that covers more content (IT controls and their called-out mapping to regulations and mandates) and offers extensive reporting for recent changed regulations. Like Agiliance, CCS attempts to be the standard repository for everything from surveys and policies to operations remediation and the reporting mechanism for multiple compliance needs.

When it comes to planning an IT GRC effort, Peter DiStefano, Symantec’s director for the Compliance and Security Management team, thinks companies should look at the whole compliance project and view compliance as a process rather than as a series of events. Symantec’s product can be used to:

1. Identify a process-oriented, top-down compliance approach and make risk-based decisions to define policies
2. Heavily automate the process so it can be done repeatedly (for multiple on-going regulations) and frequently (to access effectiveness and re-evaluate needs)
3. Get information and reports so decisions can be made to continually improve the process

One caution about even the most comprehensive IT GRC product: while the products cover homogeneous environments well, they usually require additional interfacing help in heterogeneous environments (which is more typical of large enterprises and intuitions). These products do offer documented interfaces for receiving data from other tools, including mainframe security frameworks and enterprise event monitors such as SIMs/SEMs.

When considering any of these products, EMS’s Crawford says, "You have to vet an investment based on the anticipated business benefit of the investment. There are two questions: Will the tool reduce the total cost of compliance? Will you be in a better position for dealing with compliance mandates in the future, better prepared for changing mandates, and new mandates? If either is true, the purchase is worthwhile. Customers we have spoken to have said yes to both."

Crawford’s advise when considering products for the IT GRC space include:

• Make the most of what you already have; examine your existing investments, particularly management investments, in the light of how they can be purposed for compliance mandates
• If you do need to implement, look at solutions that can deliver business value as well as compliance
• Actively look for common areas of interest across the business
• Determine if you can use one investment to address multiple goals

Crawford cites configuration management as an example for his second and third points. Configuration management databases (CMDB) can be used for tracking purposes, assuring that machines are complying with IT policies. However, in many companies, the operations group has initiated the request to examine CMDB systems. He thinks security teams have a ready-made ally, with discussions working toward a common interest, for obtaining a product that would improve operations management and improve the entity’s security.