By David Almquist and Lane F. Cooper
BizTechReports.Com
Compliance breakdowns and governance failures across industry sectors are now among the most common – and unwelcome – headlines in the business press today. Despite these frequent reminders on the costly consequences of lax security risk management, there is still evidence that many organizations do not place sufficient executive attention on this issue.
According to a survey of 224 IT and non-IT professionals conducted by Enterprise Management Associates (EMA), nearly a third of respondents (29 percent) indicated that the board of directors and senior executives do not properly support IT Governance, Risk Management and Compliance (GRC) initiatives.
"There are continued examples…that illustrate how a lack of IT governance and risk programs can lead to a lack of overall business controls that ultimately results in near-catastrophic outcomes," said Scott Crawford, EMA research director. "IT GRC has become a very loaded term, with incredibly high expectations. Yet, in many cases, it is still loosely defined, let alone well understood. This limits the ability of senior management to support IT GRC initiatives, resulting in greater exposure to risk and – worst of all – hampering the ability of IT to deliver tangible business value."*
Hurdles to Clear
Responding effectively to the imperative of governance, risk management and compliance requires both more resources and better executive support. A growing number of experts believe that the primary obstacle to effective compliance solutions revolve around a fundamental lack of sufficient resources.
“I have never met a security manager or CISO who felt they had enough money and people,” says Marne Gordan, Corporate Security Strategy Group at IBM.
Part of the problem is attitudinal. Many organizations view compliance as another unfunded mandate; a needless expense far removed from any kind of profit center. “The security industry tries to make the case for security ROI, but you end up trying to prove a negative,” explains Gordan. “If nothing bad happens in your environment for two years, then the thinking is: ‘That’s great…we don’t need to spend any more money or waste any more time on this.’”
Another major hurdle is that many organizations face multiple compliance requirements. For example, a publicly traded healthcare organization would be subject to Sarbanes Oxley, HIPAA, PCI DSS, as well as initiatives from the European Healthcare Fraud and Corruption Office. With compliance dates staggered and the focus of each regulation slightly different, organizations tend to create silos when setting up their compliance programs. They may end up with three sets of monitoring initiatives and three different incident response plans.
Finally, there is a lack of visibility into systems and user activity. Organizations see enterprise solutions as far too costly, and existing silos prevent full visibility into the business from a compliance perspective.
Compliance solutions will depend on the level of sophistication of the organization. “This is where international standards like COBIT and ISO27002 can really help,” says Gordan. “But something as robust as COBIT is overkill for a lot of organizations. Whereas something like ISO27002 is very approachable and helps you get a good handle on your information security, but doesn’t automatically translate up to governance.”
Automating the Governance, Risk Management and Compliance Process
Reliance on manual processes today is still common. “In fact the number one compliance tool worldwide is Excel,” says Gordan. “People run to a spreadsheet and make a check list.”
Automation would save substantial time and trouble, reducing duplicated efforts and providing more reliable test results along with more proof to give senior managers and auditors that controls are functioning effectively. “Third-party auditors can’t accept a spreadsheet as proof,” said Gordan. “There is no standardization, no version control, no documentation of how many people have access to it or when it was last updated.” This forces auditors to do their own testing, which drives up audit and consulting fees, and only ends up concluding that the organization doesn’t really know what’s going on in its environment.
“Everyone thinks of automation as a huge architecture overhaul,” says Gordan . “It can be something as simple as introducing reliable log collection and log management.” Ideally, a combination of IDS (host-based or outsourced), identity management, access management, network monitoring, and an alert mechanism will establish a high security posture that satisfies a variety of regulatory requirements. The ultimate goal is to establish baseline and trendline activity for the target environment, so that anomalous activity can be identified and the organization can respond immediately. “Even if you don’t get beyond log management initially, it will save you money over time and give you proof of a good faith effort to comply,” explains Gordan.
Organizations can start by conducting a thorough risk assessment, prioritizing the risk and then addressing what is most pressing. Ultimately they can have a central policy repository, with IDS and identity and access solutions that establish baselines for normal behavior and follow trend lines over time.
To learn how IBM can work with you to establish effective Governance, Risk Management and Compliance programs, please call: 1-877-426-3774
*http://www.reuters.com/article/pressRelease/idUS153429+28-May-2008+PRN20080528
