Enterprise Applications - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Enterprise Applications


Compliance Without Tears



 By: Cameron Sturdevant
2007-10-19
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Enterprise Applications story.


  Table of Contents:
  1. Compliance Without Tears
  2. ' Compliance Without Tears '
  3. ' Compliance Without Tears '

Rate This Article:
Poor Best
Compliance Without Tears - ' Compliance Without Tears '
( Page 2 of 3 )

Practically every enterprise must abide by and demonstrate compliance with some group of regulations intended to head off the next Enron or WorldCom scandal or headline-grabbing data breach.

Whats more, since so many of the routes through which organizations reach and demonstrate compliance run through their IT infrastructures, this rats nest of requirements tends to end up in the laps of IT managers.

Fortunately, as eWeek Labs has learned, much of what you need to satisfy regulations most likely already exists in your organization. And for IT departments in search of a return-on-investment case for system management improvements, regulatory compliance can offer a Y2K-style opportunity to enact needed enhancements.

While individual regulations vary, the elements shared by these compliance mandates boil down, more or less, to a set of IT best practices: collecting information about your data and IT environment, documenting what happens to the data and changes in your IT infrastructure, and reporting all this information to external auditors on demand.

Click here to view this slide show on compliance.

Resource Library:
By preparing for these elements and securing an understanding of the regulations and risks that apply to your business, IT managers can help their organizations achieve regulatory compliance with as little cost and trouble as possible.

Regulations and Risks

Though no one likes to do it, IT managers should read through the regulations that business managers tell them apply to their company.

As an adjunct to the regulation text, its worthwhile consulting either ITIL (Information Technology Infrastructure Library) or COBIT (Control Objectives for Information and related Technology), both of which are systematic, industry-accepted guides that offer IT organizations a solid model for interpreting regulatory mandates.

After reading through the regulations, make a checklist of exactly what data you must track, such as personally identifiable information, PANs (Primary Account Numbers) or Social Security numbers. In addition, take note of how and by whom that data is accessed and stored and when changes to that information must be noted and logged. Both ITIL and COBIT provide extensive lists of data typically collected in the IT environment and can serve as a good reference during compliance planning.

IT managers need to make decisions about which compliance reports can be supplied first, given an understanding of the regulations and available IT resources. This means performing a risk assessment of the value of the protected assets, the cost of being found non-compliant and the probability that the business will be exposed to liability if protected data is breached. Risk management is as much art as it is science, and IT managers who demonstrate an understanding of business risks in the context of regulatory requirements can shine in carrying out a compliance project. To help, seek out products, such as nCircles Configuration Compliance Manager, that let you assign criticality to business processes so that the most important problems are dealt with first.

Collecting Information

Once you have the layof the land regarding the regulations and risks that apply to your organization, its time to develop a picture of your infrastructure.

Collecting this information is the only way to keep the data needed for compliance reporting up-to-date. Reducing the cost of data collection means creating ongoing processes to support audit operations.

Start with a logical network diagram. Overlay maps such as those produced by Ipswitchs WhatsUpGold show physical assets such as servers and network infrastructure alongside application architecture diagrams.

Next, note where data is in motion across your network and where it is in transit to partner networks, as well as where the data is stored. Identity management systems that are likely already used at your organization, such as enterprise single-sign-on tools like Passlogixs v-Go, can play a crucial role in collecting information, such as who accessed what applications and when. Use log collection systems associated with databases and applications to keep track of what changes were made and by whom. Because audit reports universally call for user-level data access logging, make sure applications can provide this type of information via an API or a log export.

Page 2: Compliance Without Tears





  Reader Comments: Compliance Without Tears
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Enterprise Applications Articles          >>> More By Cameron Sturdevant
 


xr۸({\5ќ5N6ŋvl˱&e)dRQ$$qLZ$KK?Kg<xӅ|I2KflݍF7?I9surF5g6%E]"I~xH`\ϩIzNڶ? Ou u9Azۀpg3YÃ[j (KxcMFlMel#k`p,cwh{9D@-s!&2?K;'?+B=]2Hߦ0uɷ>SfANlj,}a'E%UUlEpHԸ!|x\gOгƏ;gPb7 Ҵ?쓁7S!+629z+Po +/ @Z#\DȁY\nh-?Tݑc:[ ͡odUZL w6S!1+k9Tը>lhYG|ݑ|YCXw:QtQA3MuڟCԿ)$fB 8QKj+z=Ķ|{'Sh:tu̿y+׳*ݸy1̳_`D-"GlR =q7uLazH&5\O, Esؖ}Yͼ`F3l˸;4 @SKVUBX)ځVY-ip'ooz3jλ ]` vdu]+h5U9鑋yиm g C'Fb;}" @D%\.&I"0h54t^H}xT啒^TwjFV4E; KHR ӘS$hICF/XTU![cҺ赮.鵎Nڭ$IJ1<JEӀH Zzd"=ZKqKN:W}")|rg5MP\̱8ڪV\W`CK']Mn[CyC0-ߕRMRso~:>]8RG$'uH{0omYn]H.ޕ|T,, Q2ofU x[&%i " kh:ur%ժZ2GE1MXR‡ t$u[5Hr Vϡ8ȟ$Wi8@rX5XUl \4'~^',|YB* bZ9nPWȨYө$ɛ!"ˆGn9Cx,ʹec[n<ηӰuirv \nVՉ2YXYufjY?iQwΨqj>\Isymkdzuw#椋Loo`3檣V)b1xH rE(T\ic2ud8İ#ʠ :괱;\Vc4@!D &MaNh>[ |{ } 1&ԟsZ TP"wM hA'r=kJׇ&[?? [ G`p\&[ hk-DM4C` V<2+?k>f(n@ }SH|`OA[9nAc@M CRRP$S I#r*B!,`@n% [A;k bR .<ҦBIg}zn<)}TKh+\% 93TYJjL=?l1!UG,[E`z9r,T.k O6VJy[+R4dTH9 uO+ZIQQ#U^?)p[L9 =:3|hy Y?bf'ޘ.c~Xzspo aB?9bѪ)C--j|6ۇ)|Ц5}b0&[l6c{A3uNP"/Կ _ ۝.ç[N=\҃1 4fgܗ n'$50K%xkݬ ̙#>d .E=b$~f -D,D!', 9*e+)ˬܲPӔ S%I LyK).EcwBQm㔜Ġ;F])zhQkڞɴӬʷY UbueIJ{°յZ*쉟Ei l-W5Q0P*4)i ’alcy!Cuz ^IO-}hMu}ZN뷘TM.R?62ai[FoՒhMb1zn g&AqsGNlJirir68u>)UKϵA)"ݩ{zl>v{t#p:hBJmw:v JYY,b=*4jKz Vof ׆ %K Ôҵ&SKwEeHMw&n h>jG[a@r*Ϩfh:l <}:8y¬5ѝ_ORPI܏:&"_G5 k Q+wڶ{4]QG X)9Y8 p_k@l8$T2Paa0] etaX/kьV4:E80ef+;T*Pzݻ(Qܥ& ;oâ#_- C 2H$6/`k΁`@B &@cZ_FkZCSD܄7ц&к|XMoXL+*)K.pϟ sWyGfX?Ky΁x}ˬ7 'Z^Sz~Agf-%33+x/ ƌ0;`d#7\@ +RUww/5 )2*<:`rUTՑG7`sc'i=z&: `LDnЬ 0Դ'siM dwPJ o|~CJh7H"0v.eۏUWL @(8@u8|[\ZS Q|5z0dʏQ01.2*ZK{>󌠬,8m[D ZXň h;qņj 1Ӛ 0};N`էkԑ +fh+4stJb+ͤVB)EeXyhQrC<ͤUpR|9~-^7zFnsU-ylFo -JTȵ#}{-%r jDD{~|UM+%yN2YSIptXκZkl4O?Z Ɗ߼Bp5xl==CݸM,`YEn;&+㧠kqɜ]/)ɹ&wBVNZo2i$e|;W.xY3{u¿U."_]qcn!2v"9z+|/I+0ZRRhU@V 2ˁ; _g.5&aHx}GVUO4iģT1Ey $z=.EЊr}cLNXoLGnR| m$\EC>+m^L\XPY\\&CUX)TԒ/IXqAɜ]AрM\r8O+ps!p}/O A'FZMʵL] ?ۤTV\=^}95ף~@L@=tP3)&4Ɲ5/V T:`2J(K[ kfq,ۇ: a{*ݔY`'\U%P-HjIx68PxnH N @WQﻱW"L<}O5{Ouox4 x4H;wk~ʾn(t6EM+t׀m+J9wOG2M#g(D)jieޓEO)'+mJPpLg( ,$$%l,rޏ۷mpH75aShp| ^?KHHD"R#N-4n7<[PfW㘘= ת-ln}J~jg^Ѝ1?PX2"NrE^)>)hlsѓNOx:ȄyuuO_v^skN{Q~^-MwZ\00C~ǭI·c}|Qٷ8 KRbv}Lɶ3zZ^6+^6v: 2CHv4,r:y]B}9\C|}ђ:փ! Y> B=GgUx6q)qm2G3|aL ^Cڊҹ:n]qbA9kNZ _Ohk5Vy.'7Le8XٍW;_aY,$<0 I+U:9>  kJ=!o8nw/Ϛi9D `I+Щ #~؟RJI QV#=)#ķQɉOaIc1:(:[Kᷘo9?ů1KwxAp[(+h,UdsJ=tP?xX>kwާtz? iZ;g ōW7 rEP>[IRB9kũp-ޱakO܁Y(^HC۽[6@I5pOFP6n'in&.Z7t[b 3ɔbJ49uyH#%dBE[m84ǠR#I1$$Z^T@,*s攤vCȔXN GƽbZ@Ɍ7CCz g=#tz>ȥG֫݅~>,~OG뻌w.G!GoqSxw|}ԒH>r۝&jD ܎p54{qJ9Npus`TzH^أ؈ڽ]kg[DL;*pG#^MuOyרO Z6;x6_tX ~AXy VrlK9Grq&}X$` 횻܍1“gD`GHA|G˩سMs _563Z;sL+|\"Zyda? W_7zkV(|SvZ /1g&o(#ߍ_j w S1MK/1 !Cs_3[G_ <t(u߂Kd[:`8Y&?V#`,FeբZ*M&t_n:?ٿz9~KȍoЩJ'gxL2sat)r6PX8~1Lji:=rEG3[AAaIϝ5'uS:EcMp}p,>XukȺύRat%k)qc6uF؛`4 \fÍ&.%SRE>WH\JB͉q E\hZjܯ%w1BBt "&a?cʼnakldD> OGP gI.`%=IMɔB<=7_bwnTH*=PG ]tQ!u#3>pAS13DM® +E`oB<dtѴM\tJ-gUh 3Եu"kaLj3E 0 axUBO& }66ȴrJJhEtQ=ֵ$-a ڀ%hRt`o06hǵj˱ T TW )/o"yqwSwwSwSwS7k-Дn[|W޸K}3jfcϗa$8<n3~[; f!H" cjǍQ.U oHssܜ;D^ㄤ y7p=qGٔ'i$,P0G-q )!7ԗxɰe"ℴOb#z5rcYk;XcÑ.><$e~lhӑ-gK[w6!L܋C@ v$s"*CTloHj/@3q.{z9l_tgdb-@0ou'$(*57}$@Io<is$X<5V~C|6m1;™8Dј7+8%²# ;cU)#3l*akIc׀5(joGO$dҢFrΆܤ 22r i*ߚ԰\tevD%u$">o3#^b~ԥk\zy[U׶L!u@8jO3!!ځݼӍ~i3zj؅׺}AP:,(Xq DXy"!<bo:0[,C^@} 5$&P}˗ځq1c`L?o#tGjtg5qp$];DiI062_X^W!# ~i{*{̹.q=c4tMtȻXuN;oeR^ uh0`,]cn;jYE>L 'P>q'xXc{?oZf/eT8.t3Q+⇥/I&w^\ӯFv6.j;|2uF !K.&Fq]{A'4aY'X@;CfdHYLJ¤;n)-6 p &FH6o/[s?Yƭfϩ;me-!pzB_F(WQj4 0{eMd QPZkz uXů^ѬpY֔fMRsA۴{}7`W0;<O²w>ȳhKk٥gyN`X:+Ec9Zvcb[Mc=؃ tЀ3MЬD5fX'-%"Q0Mݡ$aqX34ͯ #$*X(õ3'䧺pM;G{usZ+G,_l,6jF=/o[z,_Y@Yl|72$ Nw ۤRˋFP ,Ñ@tœ3a#qjD'loxŬqsRKChX<|Yd=X67է Y+z)ל\Ӣ}=3XX|!;zOHW:ij҃ODw'/ 2â۴> 2(&i`?^-Yfl`n2(yK9q5{g)w{Odz?w¤Xt'O,7 v2.Eo! |5׹AP7ķlkuė;ήqGZY13ʑuB;BV}m㊓98M[Ž p{$e &:BaD0dXTydg`*׶'NtgZF ǹa%0mg+A#AI҂B4쎰wĨW\ڕ"wHb/PVs}K#, -OakjrD-x$I./x ȋL,pe_FPxAҼ&0fX|S,^ JW11ƜS qRSs.}K\Cb/ZdqK4/ #|Щ>&^ME(8+^3HR&\+ԀJTHTijr>)7oTS#Vr="z0Ӫ \r="vۺz0Մ7ҥ|W\AO[jswfDPe@ʹ֝eȆPcq.* =,Ӑh-x!wY `miXx>H'ܲzFwIfSjRZA)r`!=;?_+UMhբ jG@VTOXy0=(Ur3<pnBILqG:gYRI+T[g?Nq  +Pх%AY0Vbi+ 1 M|<\>ap@0eˡ}hZ2PŸ X9?/0s{IF^Y0;̜uӉHuWkmR)ݫR\mD έZ_`busΩ:ʒ2 Y9lmےVo4Js;$&ftzЖSjX:N_K kCoϡgZܳFԞkx㉪+(`a :irˇh%=2׸i)ZrD#TTbЍB1KM;InP}7Y?d=` zf=[!VUv_$ru ZR>__d۶6 }HG߄Wœ/ } OrthFWe\Skb8w_ 6bVzgZa!G(?=xIn&i4B&3' ?amLN>sCRY 醵`Mi$b ɓvڗj Y {3s  ydhtM\"@H>Q|נhP؞?ML)asSapf .h`S֙ej sz?>12ɀjdb,ywJWC'kEYG71=`3'?vai.us\jHOdcB4_ DpI~򌕞-×?0}H.ƌ JU(KRWW |+R0bU-%N+_#S,wV3le,s-Mȕ@9ZAȐq[XG|TBzX\{cݹk4//>iVt?vڗv:x ZҶpt{ԭs9tԹtҾh]^/zƉL_3}iP,eJy)3C9].ͅdY/Y2U94dC1=Ty(ڽ5Y6ührezq7M&6񏡵UղpڽOkr8ٙE֔fySM-G*5]0.8)nu:E+Uj^*Q^m9eCW~: H@z'#):ppH?' haui;8mNoth_;}hi_dC5w3?Ag,>v9gggssyFρ>3<>G/2?fBiFkF9g^dE\]d_hO'Ct@t2%e}\BˌW@?WӅw3߅w3e_7Hmu?fC>f#c!:+:~3/9IR< >k^0#kfK "|)+P'5Hϐge3VڍNa{r!WFˀn {s\WKM0TtEٳKD않c\o%m:v B__4q;Lw,ߔYnƊ6SLqϜ9OWɴFV< ~}I@*d>܃fc>s2 #٣,B;H_ehĻ͏ٞ܃8&9.n ٍ䅑9#p+b: Kkr>u}|緶xvY.͌j,7m(>YsپGh %Os*WYn- ǡ8{<~r܌3:X_uCAi]]4w-љMdA]eIP4P !Fo0d0J-z@h P>1=:.lǬ*Ƙ4f.(^( ^"T6*Ac(<),J̹4vW;)EـD@SƝ}gԟmo3i*u +=-h+UDt2Ykwz:e@B4009 h ޠzԍ}y<8?[%Gcx-ȷ:ѧ_]x#4n \Z=wp*WYjclK@`XC,+&lybmbarֆ29>Nc̓~:G=f IߎΉ\#u{Ȳ{gaٷ./%C?wwJ߅F&;a91jX "c5c,Fvԙ@Ы^Q?m '*Aƌv3OF"ey%<2$+3Zb1T\_S73e.ۀJoē}":!o6Nώ{;Y:!5 ~5u;L_4'/:~22rd~1Ln`[>/t{ Y^SL]v`ՋO/N&~'IK-}sO} 9$Ie`Կug CcͷgIg@GX1Wd' A'|NbMxXe7gĹM&۬Є0ꟻ.ٛV# j /McA۾$]מ X;(xmlø?=V@nt5,6w"c -=EbЁ/*v:XUm$9=ASh4OU;gCCJw{]oՕ\)*f*H{F(>a+/]=ǽ '\|s6_@=7eքzLT z̴5';Xl=^z#O֒ۍƶ ;><=v|4#eeI.~?N^T>$+p#R.܋OFې/d)0XPy74Am{'n/[62' SL+4%RxcFZ_cXa vHV&Lt>Ȃ[OulÝG8C# d1Қqljċ2i|? e!Mwt0=@F3 V݀=Q$T{xR_}r8`KL\-|v0q=Ħ2|R2OEpvRc ;93ߏ[MQs9,ByXY#^|:ym.E"cu ݎ¦m/y8< ׁ] l !CamR>E ]f'[ڦ2й=-{ק i[ ;]ʾ,ϱ{QAbf@8u vAѲ V7"֐0^q7Kl@ cwQbz LN彊Ӷ E9b QpSdؖE.^dSm{Ǻgye{OEmY>mЌaO0}3#cgb@x˖ƭӯy~kC#>F~vxy|u2i^GfB^òLjl-g^kta(ranvgvE{&=\s&%tصa=|b\8qQoeQ1bPrY"0W_n>AckDeU$PtBiEL`;X+vN%th&vP?g`هlʽ~H&/@Ql[ۺНDnx[OByҹI'٧}RI>R}v4\KaFy遢&!t[i B":w<>n_Kf{zv`ol3gs7~b ZSˬZY$IL#[ob['- U.kIM)V gqC۩ g۰N*d%rR3EiQ}"'eҾ wE&l)vsm-6]-;O6,