|  |
Compliance – less burden, more benefits
 Regulatory compliance has become the boardroom issue of the decade. Executives are paying closer attention because compliance affects all aspects of business operations. And while compliance traditionally focussed on legal aspects of managing policies, newer legislative reforms such as Basel II and Sarbanes-Oxley are promoting a risk-based approach.
Financial institutions face a cocktail of local, national and international legislation covering a wide range of topics; responsible corporate governance and transparency, the protection of customer information and privacy, and the prevention and detection of illegal activities.
Yet as finance organizations become more complex – with operations being outsourced or even moved offshore – the scope of compliance becomes much broader. Serious consideration must be given to how the business will satisfy its compliance obligations.
While many companies view compliance as a burden, the processes necessary to demonstrate compliance are essentially nothing more than the basic controls necessary to manage business and manage risk. Compliance makes these controls visible to outsiders, and legally enforceable. Companies should recognise that the processes and infrastructure created to ensure compliance are springboards to improved business performance.
Compliance is about confidence, transparency and auditability and the secret is robust operational processes and a culture that fundamentally values effective and auditable controls, promoting fact based management. Best-in-class IT organizations know it takes people, processes, and technology to achieve high levels of service availability, security, and sustained compliance.
IT controls and high performance
High-performing IT organisations recognise that their first responsibility is to protect the business from risk. Rather than focussing on compliance as their primary objective, they focus on operating in a manner that satisfies the business’s primary objectives in a way that also achieves compliance.
Proving this out, research by the IT Process Institute (ITPI) over the past five years, has helped establish a causal relationship between key IT controls and IT effectiveness. One of its key findings is that high performing organizations spent less than half the effort on compliance.
Written following its years of studying best-in-class IT organizations and their approach to operational excellence, the ITPI has published The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps. The Visible Ops methodology codifies a prescriptive approach to building IT processes and controls, simultaneously achieving compliance and increasing operational effectiveness and efficiency. The methodology is comprised of four prescriptive and self-fuelling steps that take an organization from any starting point to a continually improving process. It helps IT managers answer the question, “where do I start?”
Visible Ops creates the instrumentation where auditors can review the processes and controls for effectiveness without having to do a forensic analysis. This leads to a more productive working relationship, smoother audits and less time spent on audit preparation and remediation. As a result, these organisations have tremendous credibility during audits. Their credibility is rooted in culture and controls that set clear organizational expectations for how work will be done within the company, how data will be collected and used as an asset to the business, and have a clear set of checks and balances in place to keep people true to the process. Credible organizations also demonstrate that there are clear consequences for not following the rules.
Auditors often view the world through the lens of risks and controls. Risks exist, and businesses can mitigate them by either preventing or detecting them. Organizations should always be able to make corrections and recover should the risks actually happen.
Change auditing
As the leading IT audit finding is change related, many organizations are adopting change management tools to help them improve audit preparedness, reduce risk, and improve their ability to control change. In reality, these tools are excellent preventive and corrective measures. They help automate processes, simplify software deployment and reduce the time it takes to administer system configurations. However, these tools and processes can be circumvented without anyone knowing.
Preventive, detective and corrective controls must be implemented in response to the identified risks of change. Necessary preventive controls include separation of roles, change authorization, as well as supervision and enforcement. However, to enforce the process, detective controls must be in place to monitor the production environment for changes, reconcile these changes to approved changes, and report any unauthorized variance. This is change auditing.
Auditors increasingly want to see independent change detection and verification – capabilities that demand more than basic change and configuration management technologies can deliver. As an important component of compliance and security efforts, change auditing occurs independently of the individuals approving and making changes, to close the loop on effective change management processes.
Change auditing can reconcile detected changes against tested, authorized changes, providing alerts when change is unauthorized. And it can objectively report all change activity, enabling IT to prove the effectiveness of their controls. With change auditing capabilities in place, security and compliance processes can be enforced and any attempts to circumvent them will be identified.
To address the growing multitude of regulations faced by financial service organizations, it will be imperative that processes needed to ensure compliance are woven into the fabric of the company, helping every organization decrease risk and ensure sustainable compliance. While the demands of each regulation may vary, common themes are present throughout – with proof of IT controls as a fundamental requirement.
Tripwire's all-inclusive change auditing solutions play a critical role in meeting today's demanding needs for regulatory compliance, helping financial service companies achieve sustainable compliance across the many industry and government regulations they face. For more information visit www.tripwire.com/fst
03/2007, Paul Gostick
Subscribe to the newsletter | | |
More articles on this topic | | |
|  | | Sleepless nights: Six years ago this week, I first came to understand the words “graduate student.” Over the span of five days, I spent a total of two hours sleeping - the rest of my time was hacking, eating, injecting caffeine into my bloodstream ... | |  | | As securitymanager.net discovered when it met with Tripwire’s Paul Gostick, configuration audit and control is more than just a good idea; it’s a business imperative for any organisation that wants to fulfil its business objectives successfully ... | |  | | Skype, the company that eBay paid £1.4B to acquire last September is continuing to gain ground in enterprises as users deploy it on their PCs with or without management approval. As it comes to your organisation, should you embrace it and its ... | |  | | Retailers need to plan their RFID engagement now, if they are to close the gap with pioneers such as Metro and Tesco. It is no longer enough to wait, says Ronald van Zanten of Cisco Systems ... | |  | | Webroot Software and EarthLink released their second SpyAudit Report, which tracks the growth of spyware on consumer PCs... | |
|  | | Everybody talks about this, but who actually does it? Difficult times are an opportunity to differentiate yourself from the competition... | |  | | Companies today are facing unprecedented change: Consumer spending is off, business spending is slowing, and customer sentiment is tracking downward... | |  | | Wikis have become an attractive alternative in content management. Whereas the structure of content in "real" management environments must be defined in advance, a wiki entirely adapts itself to meet content requirements... | |
| | | |
