In-Depth
Five Steps to a Continuously Compliant Data Center (Part 2 of 2)
These five steps provide a road map for continuous compliance in the data center.
By Dan Trevino, Senior Product Marketing Manager, BMC Software
Part 1 of this series addressed the initial two steps for achieving continuous compliance in the data center: setting definitions and goals for compliance and implementing your compliance framework.
With continuous compliance you can prevent problems that could impact your company's credibility and profitability. By following the initial steps along with the three we discuss here, you will have an excellent road map for achieving the compliance results you require in your data center.
Step 3: Measurement
Along with implementing the platform and controls, you need to put a mechanism in place to measure performance so that you can assess the effectiveness of your implementation. The specific metrics you choose will depend on your organization and your particular compliance objectives. Examples of metrics that many successful companies have leveraged include:
- Policy adherence: What percent of the data center complies with each policy?
- Percentage of audit failures: How significantly did you reduce the percentage of failed audits?
- Mean time to remediate: How quickly can you fix a compliance issue that has been detected?
- Exceptions: How significantly did you reduce the time required for detecting, documenting, and fixing exceptions?
When defining your metrics, limit your choices to things that you can effectively measure. Start with a small number of meaningful metrics and add to them only as necessary to increase transparency or adherence.
Step 4: Enforcement
Maintaining continuous compliance is critical. Look at deviations to determine if they are more prevalent on a particular platform, role, or service. Investigating these areas guides you in applying resources to correct the deviations and ensure that systems are always operating according to policy.
Here's an example of how one company enforced compliance. A provider of broadband, television, phone, and mobile services had automated system-level and system-wide configuration changes and integrated them with approval processes. That helped the provider meet the credit card industry's PCI DSS (Payment Card Industry Data Security Standard) standard for monitoring ongoing compliance.
As a result of this automation, the company has improved management, control, and enforcement of configuration changes. Deployment of each configuration item is now 80 percent faster. In addition, the process has also improved data center stability and service quality, decreased application downtime, increased IT productivity, and reduced data center operating costs.
Step 5: Monitoring
Monitoring is about providing insight into whether your environment is becoming more or less compliant and reporting any findings to management. It shows you how well controls are working and what activities are occurring. Management reports provide data for creating scorecards and identifying trends.
For example, a software-as-a-service (SaaS) provider uses a combination of printed reports and dashboards to monitor compliance with a variety of regulatory requirements and industry standards, including PCI DSS, Statement on Auditing Standards (SAS) No. 70, and Sarbanes-Oxley.
Reporting capabilities have made it easy for staff to show auditors the details of each change and the thoroughness of change control processes. According to staff members, demonstrating that current server configurations are all in compliance is effortless.
An Investment that Pays Off
Just as spending what's needed to keep your automobile in good repair will improve its overall value, making an investment to implement these best practices for a continuously compliant data center will ultimately improve the value of IT to the business. The effort you invest in these best practices will pay many dividends beyond compliance. To assist you in this effort, automated processes and tools help to eliminate human error, free up staff time, and bring greater stability to your IT infrastructure.
All of these benefits can translate into lower costs, greater efficiency, and a good corporate image with customers -- benefits that will position your company to compete more effectively now and when the economy rebounds.
Dan Trevino, senior product marketing manager for BMC Software, is an expert in regulatory controls and compliance. He currently drives the IT Governance, Risk, and Compliance (IT GRC) offering at BMC. Trevino has lead the design and creation of the BMC compliance and IT GRC offerings since he joined BMC in 2009. He was an enterprise architect for an IT governance and compliance consultancy and developed and managed the services program and solutions deliverables for their successful IT compliance consulting practice. Trevino has over 25 years in IT with expertise in both process management and systems management.