How to Parlay Compliance and Audit Investments for Improved Risk Management

By Mitch Christensen  |  Posted 2010-11-05

How to Parlay Compliance and Audit Investments for Improved Risk Management

In the current environment of limited IT staff and budget, efficiency is everything. Nowhere is this more applicable than for IT security teams. There simply aren't enough staff and systems to meet the ever increasing challenges and requirements posed by compliance regulations, internal audits and business risk management.

In particular, the rise in compliance and audit requirements has often squeezed out resources that might have otherwise gone to fundamental security functions such as tight controls on intellectual property (IP) or effective security investigations. As a result, organizations are frequently left exposed and vulnerable. Within this environment, what concrete steps can be taken to meet compliance and audit requirements while simultaneously ensuring the successful implementation of fundamental security controls?

To start answering this question, it helps to reflect on the daily reality of the IT security team. The bulk of the team's time is spread across a few areas. First, there are mundane operational chores such as firewall and Web surfing policy management, and antivirus or intrusion prevention care and feeding. Of course, there are also the periodic rollouts of new platforms and applications.

Next are the inevitable fire drill activities such as proving that it's not "the firewall's fault" that an application is slow or recovering corrupted PCs or "lost" data. And on top of that, there is considerable time spent on meeting audit and compliance requirements that typically consume precious staff resources in gathering log data from a number of sources, normalizing the resulting data, and compiling required audit and compliance reports.

Summarizing what many IT security professionals believe, one information security architect at a large healthcare system recently stated that "operational efficiency is the biggest challenge facing the information security industry."

Leveraging Compliance and Audit-Focused Tools

Leveraging compliance and audit-focused tools

With this reality, how can IT security teams gain efficiencies that will allow their organizations to put more resources into general threat management? One of the greatest untapped opportunities is to better leverage compliance and audit-focused tools and their accompanying processes for general risk management. Compliance tools and processes consume significant amounts of IT security resources but, perhaps surprisingly, they are rarely leveraged beyond their original scope.

A recent online survey of IT professionals bears this out. When 5,000 IT professionals responsible for compliance and audit responsibilities were asked, "How important is it for you to leverage your compliance and audit solution investments for general risk management and internal security," 84 percent of the respondents said it was either "important" or "very important."

Unfortunately, the reality does not match the aspiration. When these same enterprise professionals were asked, "To what degree are you able to leverage your compliance and audit solution investments for general risk management and internal security," 76 percent answered, "I'm unable to" or "I'm able to but only in a limited way."

Furthermore, when survey participants were asked what was preventing them from achieving this leverage, 59 percent responded that they either "don't have enough staff" or "don't believe this can be done with current technology." A major problem reflected in this last result is that most compliance and audit control activities are labor-intensive, making them impractical to apply on a broad basis.

Principle No. 1: Focusing on a Few High-Value Controls

Principle No. 1: Focusing on a few high-value controls

Despite this gloomy state of affairs, a more efficient use of compliance and audit solutions is possible. Applying a few key principles are the keys to success. The first of these principles is to focus on a few "high-value" controls that have clear benefit if deployed broadly in the organization. This includes:

1. Data identification: Locate and classify sensitive or valuable data.

2. Identity-based access control: Control who can access this identified valuable data.

3. Data access auditing: Maintain an audit trail of who accesses sensitive data and, whenever possible, what they do with it.

4. Change management: Control and audit all changes to platforms and applications hosting critical data.

5. IT administrator controls: Although admittedly one of the most challenging, this is also one of the most critical controls to achieve. Without reliable auditing of all activities of system administrators-including tying generic system admin account usage to the actual users-it's pretty much impossible to protect much of anything.

6. Third-party controls: Outsourcing needs to be accepted for the major trend that it has become, and sufficient attention must be given to security of third-party consultants and service providers.

These are a good starting point. If they can be broadly and efficiently applied, an improvement in overall security posture will follow.

Principle No. 2: Applying a Laser Focus on Operational Efficiency

Principle No. 2: Applying a laser focus on operational efficiency

The second key principle is a laser focus on the operational efficiency of each solution used to implement each of these "high-value" control activities.

1. Innovate: Don't take the easy way out and implement well-established solutions without thoroughly evaluating their effectiveness. Too often, organizations will implement a solution that's well-established as long as it can support the needed control activities and is perceived as low-risk. The operational considerations take a back seat.

2. Emphasize operational considerations: When determining the evaluation criteria for processes and solutions, put operational efficiency near the top of the list. It can be argued that the following three criteria are nearly all that matter:

-Coming close enough to satisfy the control objective: it doesn't have to be perfect.

-An acceptable level of risk: evaluating the risk of impact to application availability and the likelihood that the control will fail.

-Operational efficiency: the ongoing staff requirement to implement the control.

3. Tool consolidation: Additional operational overhead is often a result of the proliferation of security point solutions and data sources. Training and maintenance requirements rise, and the normalization and correlation of data can be very labor-intensive. This fact may be overlooked during the decision to implement individual tools.

Flexibility and Compensating Control Potential

4. Flexibility and compensating control potential: Compliance and audit requirements are dynamic: additional systems and applications become "in-scope" and new controls are requested. Select solutions that are flexible enough to meet additional requirements without significantly increasing operational overhead.

Such solutions also need to lend themselves to efficient implementation of control activities that can be used as compensating controls. This will strengthen the negotiating position of the IT security staff when responding to auditors' control objective requests-while simultaneously improving overall risk management posture.

When implementing these suggestions, it's important to keep in mind the powerful morale boost that taking this approach typically generates. Let's face it: Many, if not most, IT security professionals view compliance and audit control activities as largely ineffective and wasteful. In contrast, taking a cooperative approach that focuses on broad application of high-value controls that are operationally efficient is a game changer.

Everyone involved can appreciate the attention paid to the operational impacts of the activities as well as the efficacy of the controls. This, in turn, leads to improvement of both the morale and the cross-functional effectiveness of the teams involved, further driving a more effective risk management posture. By more effectively parlaying compliance and audit activities to achieve greater business risk management, IT teams gain valuable efficiencies that benefit the entire enterprise.

Mitch Christensen is Chief Technology Officer and Chief Architect at PacketMotion. Mitch has more than 25 years of experience designing and developing groundbreaking technologies that include distributed systems, search engine software and large-scale data storage solutions for government and commercial customers. Before joining PacketMotion, Mitch was the chief architect and lead designer for Informatix where he deployed an innovative search engine, document management system, and next-generation paperless payment processing systems for governmental agencies.

Previously, Mitch served as the principal architect at Centegy Corp., where he led the development of the flagship remote integrator business integration server. Mitch also worked as senior architect at The Dialog Corporation where he brought their proprietary search engine technology and massive online content to the Web. In addition, Mitch spent several years doing research and development in the telecommunications industry. Mitch holds a patent for core remote integrator technology. He can be reached at

Rocket Fuel