Compliance Without Tears

By Cameron Sturdevant  |  Posted 2007-10-19 Print this article Print

Practically every enterprise must abide by and demonstrate compliance with some group of regulations intended to head off the next Enron or WorldCom scandal or headline-grabbing data breach. Whats more, since so many of the routes through which organizations reach and demonstrate compliance run through their IT infrastructures, this rats nest of requirements tends to end up in the laps of IT managers. Fortunately, as eWeek Labs has learned, much of what you need to satisfy regulations most likely already exists in your organization. And for IT departments in search of a return-on-investment case for system management improvements, regulatory compliance can offer a Y2K-style opportunity to enact needed enhancements.
While individual regulations vary, the elements shared by these compliance mandates boil down, more or less, to a set of IT best practices: collecting information about your data and IT environment, documenting what happens to the data and changes in your IT infrastructure, and reporting all this information to external auditors on demand.
Click here to view this slide show on compliance. By preparing for these elements and securing an understanding of the regulations and risks that apply to your business, IT managers can help their organizations achieve regulatory compliance with as little cost and trouble as possible. Regulations and Risks Though no one likes to do it, IT managers should read through the regulations that business managers tell them apply to their company. As an adjunct to the regulation text, its worthwhile consulting either ITIL (Information Technology Infrastructure Library) or COBIT (Control Objectives for Information and related Technology), both of which are systematic, industry-accepted guides that offer IT organizations a solid model for interpreting regulatory mandates. After reading through the regulations, make a checklist of exactly what data you must track, such as personally identifiable information, PANs (Primary Account Numbers) or Social Security numbers. In addition, take note of how and by whom that data is accessed and stored and when changes to that information must be noted and logged. Both ITIL and COBIT provide extensive lists of data typically collected in the IT environment and can serve as a good reference during compliance planning. IT managers need to make decisions about which compliance reports can be supplied first, given an understanding of the regulations and available IT resources. This means performing a risk assessment of the value of the protected assets, the cost of being found non-compliant and the probability that the business will be exposed to liability if protected data is breached. Risk management is as much art as it is science, and IT managers who demonstrate an understanding of business risks in the context of regulatory requirements can shine in carrying out a compliance project. To help, seek out products, such as nCircles Configuration Compliance Manager, that let you assign criticality to business processes so that the most important problems are dealt with first. Collecting Information Once you have the layof the land regarding the regulations and risks that apply to your organization, its time to develop a picture of your infrastructure. Collecting this information is the only way to keep the data needed for compliance reporting up-to-date. Reducing the cost of data collection means creating ongoing processes to support audit operations. Start with a logical network diagram. Overlay maps such as those produced by Ipswitchs WhatsUpGold show physical assets such as servers and network infrastructure alongside application architecture diagrams. Next, note where data is in motion across your network and where it is in transit to partner networks, as well as where the data is stored. Identity management systems that are likely already used at your organization, such as enterprise single-sign-on tools like Passlogixs v-Go, can play a crucial role in collecting information, such as who accessed what applications and when. Use log collection systems associated with databases and applications to keep track of what changes were made and by whom. Because audit reports universally call for user-level data access logging, make sure applications can provide this type of information via an API or a log export. Page 2: Compliance Without Tears

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel