Compliance Without Tears

By Cameron Sturdevant  |  Posted 2007-10-19 Print this article Print

Systems such as Configuration Compliance Manager can use a temporary agent to fetch information including anti-virus and firewall software status, password-policy compliance, and system-patching currency from end-user systems. Collecting information and storing it in a uniform repository is the foundation for "collect once, report many" compliance tools.
Documenting Change
Its easy to skip change documentation. Its also one of the hardest parts of an audit with which to comply. By itself, change documentation—keeping track of which staff member changed which policy on which network device, when this was done and with whose authorization—is among the most sought-after audit material. Tripwire and Solidcore are two good examples of change management systems that also provide the documentation needed to support a compliance audit. When you have well-documented change management procedures, youll be more ready for auditors. By logging your network device configuration files, and by maintaining procedural guides that document how server operating systems are hardened and how unnecessary services and protocols are removed, you can help ensure that your interactions with auditors go smoothly. In addition, user provisioning systems that document how users are uniquely identified, authorized and removed from access lists are essential. Fortunately, these processes are a fundamental part of any management application. The key, however, is making use of these features. When fulfilling the network security requirements of PCI DSS (Payment Card Industry Data Security Standard) and the Sarbanes-Oxley Act, having detailed documentation on infrastructure changes can be the difference between passing and failing an audit. Based on our discussions with numerous organizations, however, its clear that even with this information, most businesses dont pass an audit the first time through. Use the failure as a learning experience and ensure that processes are corrected as quickly as possible. Reporting to Auditors Between global governance, risk and compliance monoliths, such as OpenPages, and manually updated Microsoft Excel spreadsheets lies a broad swath of tools that can help IT managers demonstrate and enforce compliance with industry rules and government-mandated requirements. While all the tools mentioned so far have at least some reporting capabilities, eWeek Labs has found that, generally speaking, the breadth of these products reporting capabilities tends to be inversely proportional to their enforcement capabilities. In other words, a product such as Ecoras Auditor Professional can provide detailed configuration and change reports about operating systems, databases, applications, and network devices such as firewalls and routers, but it doesnt provide the tools to meet the actual requirements of regulations, such as data encryption. Conversely, an enforcement tool such as Passlogixs v-Go is very good at providing unique user identities with strong passwords that meet the most stringent user security requirements. The product is also limited to reporting on that information alone. Almost all organizations will need to use a combination of broad reporting tools and narrow enforcement products to produce the full range of reports needed by outside auditors. Audit reports and the almost-invariable first-time failure can be used as an opportunity to clean up long-standing problems while also bringing your organization in line with externally mandated regulations. Keep in mind that the reports are only one point in an ongoing compliance process: After the work is finished and the certification is issued comes another round of data collection and preparation for the next audit. Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel