Compliance Without Tears

By Cameron Sturdevant  |  Posted 2007-10-19

Compliance Without Tears


Compliance Without Tears

Practically every enterprise must abide by and demonstrate compliance with some group of regulations intended to head off the next Enron or WorldCom scandal or headline-grabbing data breach.

Whats more, since so many of the routes through which organizations reach and demonstrate compliance run through their IT infrastructures, this rats nest of requirements tends to end up in the laps of IT managers.

Fortunately, as eWeek Labs has learned, much of what you need to satisfy regulations most likely already exists in your organization. And for IT departments in search of a return-on-investment case for system management improvements, regulatory compliance can offer a Y2K-style opportunity to enact needed enhancements.

While individual regulations vary, the elements shared by these compliance mandates boil down, more or less, to a set of IT best practices: collecting information about your data and IT environment, documenting what happens to the data and changes in your IT infrastructure, and reporting all this information to external auditors on demand.

Click here to view this slide show on compliance.

By preparing for these elements and securing an understanding of the regulations and risks that apply to your business, IT managers can help their organizations achieve regulatory compliance with as little cost and trouble as possible.

Regulations and Risks

Though no one likes to do it, IT managers should read through the regulations that business managers tell them apply to their company.

As an adjunct to the regulation text, its worthwhile consulting either ITIL (Information Technology Infrastructure Library) or COBIT (Control Objectives for Information and related Technology), both of which are systematic, industry-accepted guides that offer IT organizations a solid model for interpreting regulatory mandates.

After reading through the regulations, make a checklist of exactly what data you must track, such as personally identifiable information, PANs (Primary Account Numbers) or Social Security numbers. In addition, take note of how and by whom that data is accessed and stored and when changes to that information must be noted and logged. Both ITIL and COBIT provide extensive lists of data typically collected in the IT environment and can serve as a good reference during compliance planning.

IT managers need to make decisions about which compliance reports can be supplied first, given an understanding of the regulations and available IT resources. This means performing a risk assessment of the value of the protected assets, the cost of being found non-compliant and the probability that the business will be exposed to liability if protected data is breached. Risk management is as much art as it is science, and IT managers who demonstrate an understanding of business risks in the context of regulatory requirements can shine in carrying out a compliance project. To help, seek out products, such as nCircles Configuration Compliance Manager, that let you assign criticality to business processes so that the most important problems are dealt with first.

Collecting Information

Once you have the layof the land regarding the regulations and risks that apply to your organization, its time to develop a picture of your infrastructure.

Collecting this information is the only way to keep the data needed for compliance reporting up-to-date. Reducing the cost of data collection means creating ongoing processes to support audit operations.

Start with a logical network diagram. Overlay maps such as those produced by Ipswitchs WhatsUpGold show physical assets such as servers and network infrastructure alongside application architecture diagrams.

Next, note where data is in motion across your network and where it is in transit to partner networks, as well as where the data is stored. Identity management systems that are likely already used at your organization, such as enterprise single-sign-on tools like Passlogixs v-Go, can play a crucial role in collecting information, such as who accessed what applications and when. Use log collection systems associated with databases and applications to keep track of what changes were made and by whom. Because audit reports universally call for user-level data access logging, make sure applications can provide this type of information via an API or a log export.

Page 2: Compliance Without Tears

Compliance Without Tears

Systems such as Configuration Compliance Manager can use a temporary agent to fetch information including anti-virus and firewall software status, password-policy compliance, and system-patching currency from end-user systems.

Collecting information and storing it in a uniform repository is the foundation for "collect once, report many" compliance tools.

Documenting Change

Its easy to skip change documentation. Its also one of the hardest parts of an audit with which to comply. By itself, change documentation—keeping track of which staff member changed which policy on which network device, when this was done and with whose authorization—is among the most sought-after audit material.

Tripwire and Solidcore are two good examples of change management systems that also provide the documentation needed to support a compliance audit. When you have well-documented change management procedures, youll be more ready for auditors.

By logging your network device configuration files, and by maintaining procedural guides that document how server operating systems are hardened and how unnecessary services and protocols are removed, you can help ensure that your interactions with auditors go smoothly. In addition, user provisioning systems that document how users are uniquely identified, authorized and removed from access lists are essential. Fortunately, these processes are a fundamental part of any management application. The key, however, is making use of these features.

When fulfilling the network security requirements of PCI DSS (Payment Card Industry Data Security Standard) and the Sarbanes-Oxley Act, having detailed documentation on infrastructure changes can be the difference between passing and failing an audit.

Based on our discussions with numerous organizations, however, its clear that even with this information, most businesses dont pass an audit the first time through. Use the failure as a learning experience and ensure that processes are corrected as quickly as possible.

Reporting to Auditors

Between global governance, risk and compliance monoliths, such as OpenPages, and manually updated Microsoft Excel spreadsheets lies a broad swath of tools that can help IT managers demonstrate and enforce compliance with industry rules and government-mandated requirements.

While all the tools mentioned so far have at least some reporting capabilities, eWeek Labs has found that, generally speaking, the breadth of these products reporting capabilities tends to be inversely proportional to their enforcement capabilities.

In other words, a product such as Ecoras Auditor Professional can provide detailed configuration and change reports about operating systems, databases, applications, and network devices such as firewalls and routers, but it doesnt provide the tools to meet the actual requirements of regulations, such as data encryption.

Conversely, an enforcement tool such as Passlogixs v-Go is very good at providing unique user identities with strong passwords that meet the most stringent user security requirements. The product is also limited to reporting on that information alone.

Almost all organizations will need to use a combination of broad reporting tools and narrow enforcement products to produce the full range of reports needed by outside auditors.

Audit reports and the almost-invariable first-time failure can be used as an opportunity to clean up long-standing problems while also bringing your organization in line with externally mandated regulations.

Keep in mind that the reports are only one point in an ongoing compliance process: After the work is finished and the certification is issued comes another round of data collection and preparation for the next audit.

Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.

Rocket Fuel