Compliance Management and Compliance Automation – How and How Efficient, Part 1

Compliance is all about implementing procedures and technologies that manage / reduce business risk, and efficiently validating that controls are working according to stated expectations that address mandates. In fact, given the complexity and multitude of industry and government regulated compliance mandates, it is better to orchestrate a governance strategy that leverages best practices and a top-down approach to set policies and incorporate guidelines that cost-effectively manage pertinent business risks and explicit compliance requirements.   Many leading analyst and audit firms recommend combining ISO, COBIT and PCI standards as a foundation for governance, risk and compliance management (GRC management).  No one overarching product delivers “compliance.”

For IT (as for other organizations), compliance management is as much (or more) about human commitment as it is technology controls.  As a best practice, the human factors are key to advancing compliance management and where making the right compliance automation decisions start.  This will necessitate organizational (and individual) buy-in, assessment, documentation, accountability, adherence, attestation and education.  Once preliminary compliance policies and oversight guidelines have been established, it then becomes that much easier to apply a bottoms-up approach to incorporate information security (and other) controls and compensating controls.  This often relates to data center management, access management, configuration management and security information management that will support monitoring and documentation according to agreed upon policies and discrete compliance requirements.

Beyond setting policy and procedures, many tools among an organization’s data center management portfolio can support compliance efforts.  The question then becomes finding the right technologies that best streamline internal or external audit processes, as well as those that automate control verification and documentation.  Business process management (BPM) tools can automate and track a variety to GRC process checks and balances within an organization.  But these tools are more about tracking and measuring processes versus compliance management from a data center infrastructure, business applications and user activity technical control perspective.  When it comes to technology controls, the primary concerns are access control, system and application controls, data integrity and protection, and operational resiliency (not to dismiss physical security, secure application development, etc.).

Compliance automation considerations, in regards to data center management and security information event management (SIEM) tools, should include the means to:

• Validate a broad set of information security policies across infrastructure technologies
• Understand asset and identity relationships and be able to associate objects with compliance and audit requisites
• Produce reports that adapt to existing security, governance and auditing processes and frameworks
• Normalize compliance-relevant data across disparate systems
• Address complex and rapidly changing environments
• Meet auditing and data management standards leveraging out-of-the-box and user customizable controls
• Maintain log management integrity and data retention: data capture consistency, audit records and availability
• Facilitate investigations such as identity access control patterns and violations to accurately track identity, location and action
• Reduce control gaps and incident response lag time (MTTR)
• Diminish compliance liabilities and audit duration
• Be easily extensible in terms of new and custom control coverage and reporting

A data center management platform that automates many tasks connected with compliance provides the tangible benefits of reduced business risk, faster response to operational and violation incidents, increased productivity, compliance-related documentation, and lower auditing expenditures.

Part II will examine AccelOps’ integrated data center management approach in the context of compliance automation – such as control verification, compliance documentation, incident management and investigation – with specific examples regarding PCI-DSS.  For more information, please visit http://www.accelops.net/product/siem.php.