In the early part of 2006, I had many conversations with corporate executives, IT managers, CSOs, CIOs, reporters and analysts about some of the challenges facing companies that are dealing with the need to better secure their sensitive data for regulatory compliance. Consistently, whether at customer sites, at the RSA conference, or other venues, I kept hearing the same question: what does the broad, patchy regulatory landscape mean for an organization's data-related compliance efforts in the next few years?
Because this is clearly a hot topic, I summarized the discussions across these disparate groups into three significant issues for 2006 and 2007. These are the:
- Continued push to automate manual processes and its impact on compliance,
- Struggle to understand then satisfy sometimes unclear regulations, and
- Inevitable requirement to provide a usage audit trail for any sensitive data in every corporate application.
Following are some observations on each issue:
1. Automating Manual Processes to Help with Compliance
When companies scramble in the first year in which a regulation comes into force, they very often use manual processes just to "pass the first audit." Automating is the next step. This point goes deeper than simply gaining efficiencies. Of course, the entire history of data processing is really the story of increasing efficiency and speed by automating manual processes. However, the pressure to automate has recently taken on extra urgency as various government regulations make it almost impossible to achieve compliance unless a process is automated. Imagine trying to search all electronic communications for certain key phrases or trying to validate all changes to a sensitive corporate database - automation makes it possible.
Let's not lose sight, though, of the efficiency gains provided by automation. For example, some companies report that automation of manual database auditing processes provides not only a more complete solution but also allows IT staff to refocus on tasks that add value to the business and, importantly, are more professionally fulfilling. Another aspect of efficiency is derived from using automated solutions that provide uniformity across a diverse infrastructure. This reduces training and administration requirements and provides the auditors with a more consistent view of the IT landscape under examination.
One more benefit of automation arises from the testing effort auditors must use in considering various kinds of controls in an organization. For example, according to the Public Company Accounting Oversight Board (PCAOB) audit standards, which provide guidance to the public company accounting firms, a manual control must be subject to greater scrutiny than an automated control. That increased scrutiny takes time and costs money.
As organizations work to automate internal processes, it is important that they also build in the ability to document and verify the fact that the automated process is executing, who controls the process, who sees the records generated by the process and who can manipulate them. In other words, the automated process must itself be trusted and verifiable.
2. Interpreting Regulations to Build an Efficient Compliance Framework
Often, when people hear about a "regulation" they imagine a stringent set of precise requirements - almost a checklist of exact, carefully spelled-out items full of "you must" and "you may not" types of language. Unfortunately for those charged with corporate compliance, this is usually not the case. A cross-vendor effort such as the PCI Data Security Standard comes close to this image. However, government regulations such as Sarbanes-Oxley (SOX) and others are much more challenging to interpret. They are actually more like a loose set of frameworks, suggestions and best practices. Divining precise, actionable instructions from these regulations is like parsing the statements of Alan Greenspan - there's lots of room in there to be right or wrong.
This creates a difficult situation for organizations that are trying to organize their processes and IT systems with compliance in mind - they must become mind readers. What will an auditor or a regulator ask for? What will they accept? Will the IT system deliver the right information in the right format in a timely manner? The challenge is to create, as much as possible, a uniform framework that is adaptable enough to help with the compliance requirements while enabling quick adjustments as regulations are interpreted and changed.
As one example, let's look at Sarbanes-Oxley. Does the language of SOX give precise guidance on what IT policies and safeguards must be in place? Absolutely not. SOX requires a company to choose a control framework, which is inevitably COSO. Does COSO provide precise guidance on what IT policies and safeguards must be in place? Again, the answer is no. So where does this guidance come from? It comes from the external auditors. That injects still more uncertainty, because it depends on which external audit firm your company uses. Additionally, the requirements for this year are going to be built on, and more rigorous than, the requirements from last year. Therefore, mapping from regulation to framework to business applications to controls is a messy business.
What can organizations do in this amorphous and changing environment? An important approach is to find compliance-supporting software that is "horizontal" - that can be applied to many if not all of the regulations affecting the business. Consider database auditing as an example. Almost every modern regulation requires accountability for who does what to data - organizations will have to provide an accurate, timely audit trail of any user activities that affect their databases. Reports on top of such a platform can provide the regulation-specific support needed. This approach is more efficient than using silos of technology that are different for each regulation.
3. Tracking Activity Against Sensitive Data in Every Application
As a result of the previous observation of the centrality of data in modern regulatory regimes, it seems inevitable that organizations will weave data access accountability into every application. I've heard this from IT experts at all levels. Existing applications will need to be retrofitted to achieve this (if this is even possible), and new applications will be designed with this in mind. In addition, a "defense in depth" approach will be required. To complement the accountability built into the application, organizations will need to deploy solutions at the database underlying those applications, because privileged users can access the database directly without transiting through the application.
Automation, interpretation and breadth of coverage are common challenges representing a huge undertaking that will not be completed during 2006. However, efforts to address these issues are underway now and will become one of the dominant compliance-related IT efforts in the next 24 months.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access