In-Depth

How to Lower Security Compliance Costs

How organizations can get (and stay) compliant while spending less

• By Mathew Schwartz
• 06/15/2005

How can organizations get and stay compliant while spending less money?

Based on companies’ experiences in 2004, the first year of Sarbanes-Oxley deadlines, “the first thing most companies learned is that regulatory compliance needs to be addressed as an ongoing program, as opposed to just a project,” notes Mark Feldman, senior vice president of strategy at real-time-compliance software vendor Virsa Systems, based in Fremont, Calif.

“It’s like spring cleaning. Essentially, if you keep the place clean all year long, you don’t need to have a major spring-cleaning effort once a year,” he says. Hence, “companies are looking to institute policies” to do that. Such an approach can also make compliance less costly, since compliance controls don’t have to be manually re-documented and tested every year.

According to PricewaterhouseCoopers (PwC), however, there’s plenty of work still to be done. At companies regulated by Sarbanes-Oxley, for example, PwC found 80 percent of financial reporting controls are still manual and often lack needed clarity or documentation discipline. Furthermore, many controls aren’t integrated with business processes, meaning external groups (such as auditors) must enforce them, which is costly.

Automation, on the other hand, saves money by placing “accountability where it should be: with business owners, and not with IT or internal audit,” notes Feldman.

Automating controls also doesn’t have to be an expensive undertaking. For example, take working with ERP systems. “One thing we’ve learned with ERP is the less number of instances or differences that you have across your systems, the less testing and compliance work you have to do,” notes Dave Erickson, a partner in the advisory service at PricewaterhouseCoopers LLP in London. In other words, minimal customization of complex software means less work documenting and automating controls.

Even if your organization has extensively customized its ERP software, however, there are other ways to lower compliance costs. That’s what aviation electronics provider Rockwell Collins, based in Cedar Rapids, Iowa, discovered. “A big win for us was we went in and automated a lot of our user administration access,” says Steven Fullbright, the company’s director of e-business security and compliance.

Before automation, notes JP Calabio, Rockwell Collins’ manager of SAP application security, “every time a role was added or deleted, we had to go in and manually change it.” Any requests for role changes were sent out from a Web page as e-mails to several role approvers and security team members. “You can imagine how hard it would be to track the status and identify who approved what.”

Identifying when roles conflicted was also difficult. While IT could spot obvious ones—for example, when someone belonged to both accounts receivable and accounts payable—identifying other conflicts took “an enormous amount of effort,” says Calabio, with potential heavy regulatory repercussions if IT staff got it wrong.

So Rockwell implemented an access-provisioning tool, tied to its Active Directory implementation, to track which SAP roles were assigned to users, and to also manage which roles conflicted (or might conflict) with each other. It relayed that information to managers to better inform their role-change request evaluations.

Results were swift. Immediately, the time needed to approve or change roles for an employee dropped from two weeks to just two or three days. In addition, says Calabio, the quality of decision making seemed to improve, since people who’d been rubber-stamping role requests no longer did so. “Most importantly, the audit trail improved accountability as well, because we could see what was approved, what was rejected.”

Such automated controls also give Rockwell “better business anomaly monitoring,” notes Fullbright. When designated control thresholds are passed, or anomalous end-user activity is detected, notification can go quickly to the appropriate managers so they can investigate security problems or resolve false alarms as quickly as possible.

These practices help maintain security and make the business run more efficiently. At the same time, of course, such controls keep auditors happy, which avoids fines or (in worst-case scenarios) even jail time for executives.

Talk about cost savings.

Related Articles:

FTC sweep for GLBA compliance snares two companies
http://www.esj.com/Security/article.aspx?EditorialsID=1241

Missing from SOX Compliance Efforts: IM Audits, Archives
http://esj.com/security/article.aspx?EditorialsID=1181