Continuous IT Compliance: A Stepwise Approach to Effective Assurance BEST PRACTICES WHITE PAPER

Transcription

1 Continuous IT Compliance: A Stepwise Approach to Effective Assurance BEST PRACTICES WHITE PAPER

2 Introduction Regardless of industry, most IT organizations today must comply with a variety of government, industry, and corporate policies to protect their data and infrastructure, and to assure efficient service delivery with minimal risk. Unfortunately, in most cases, their compliance efforts are expensive, inconsistent, and incomplete. If this describes you, at best you re wasting time and money on compliance efforts that don t work. At worst, you re risking fines, lawsuits, embarrassing headlines, and even lost sales as nervous customers abandon you. It is possible, however, to achieve continuous compliance that not only meets your control objectives, but does so in a cost-effective manner. This white paper describes a six-step approach to achieving and maintaining compliance efficiently and cost effectively. 1

3 The Six Steps to Compliance Organizations face compliance requirements from a variety of regulatory, industry, and organizational sources. Regardless of the source of a requirement, however, an IT organization should establish and follow a standardized process for compliance. Based on our experience with numerous IT organizations, we ve identified the following six steps as a good-practice approach to assuring compliance: 1. Define and document your compliance objectives 2. Baseline your current infrastructure/organization against your objectives 3. Take action to bridge any gaps identified 4. Validate whether or not compliance has been achieved 5. Continuously improve the compliance process 6. Measure and report on (i.e., verify via audit) the status of compliance These steps are shown in the diagram below. MATURITY Define and Document Baseline Take Action Continuous Improvement Validate Measure and Report Define and Document This step involves specifying and recording the compliance objectives you wish to reach. These should include not only high-level business goals such as Make our accounting systems compliant with the Sarbanes-Oxley Act, but also the low-level control objectives necessary to achieve the business aims (e.g., Ensure all servers are patched on a regular basis ). During this step, you should also define the metrics by which you can measure success during the final Measure and Report stage of the compliance process. It is important, therefore, to choose metrics you are sure you can obtain and report on later. These should include both high-level metrics that will be meaningful to IT and business management, as well as more detailed metrics that track progress on the lower-level control objectives. The specific metrics you choose will also be determined by the area of compliance on which you are focusing. For example, if you are focused on change and configuration management, you might define metrics such as percentage of configuration items compliant with change management policy. To avoid confusion and miscommunication, be sure to document and publish the objectives and the metrics for all staff members involved in the compliance effort. A central program office that manages all IT projects or a central compliance program management office focused strictly on compliance are both excellent ways to manage and maintain the compliance effort and to communicate progress on your compliance objectives and metrics to all stakeholders. Baseline With the compliance and control objectives and corresponding metrics in hand, the next step is to identify the organization s starting point. During this step, you are evaluating your current level of compliance versus your defined objectives. Ideally, the baseline process should as automated as possible to ensure accuracy and consistency. The application of the appropriate technology (e.g. discovery tools, configuration data repository, etc.) is an effective means of driving standardization and efficiency in your baseline definition efforts. The result of the baseline step is a gap report, describing where you stand with regards to your specific compliance objectives. Now, you are ready to start improving things. 2

4 Take Action This step involves not only changing your infrastructure and operations, but, perhaps more importantly, also changing your people and your culture. You may need to change the way people work, the processes they follow, and/or the tools they use to achieve compliance. Before proceeding, however, understand that both the size and the nature of the gap are crucial to defining the remedial action you will need to take. The size of the gap is the quantifiable degree of difference between where you are and where you want to be. The nature of the gap is the underlying reason for that difference. While establishing the size of the gap is generally straightforward (e.g. the number of un-patched servers or the percent of unsuccessful changes to the systems under your control), determining the nature of the gap can be a bit more complicated. For example, your baseline may show that 25 percent of the servers are not properly patched. Determining the root cause for this deficiency (e.g. human error, technology failure, or process failure) may not be immediately apparent but is critical to applying the proper remedial actions. Once the size and nature of the gap is defined, remedial actions can take place. As previously mentioned, it is best to automate as much of the remediation process as possible. Automation helps ensure that control objectives are consistently and continuously applied. It also allows organizations to make better use of limited technical resources, allowing senior engineers to define the policies that are then automatically and consistently applied across the infrastructure. Finally, automation can also be leveraged to address process and people gaps. Once a process has been reviewed and improved (if necessary), automating it will ensure it is consistently enforced. Likewise, automation goes a long way toward eliminating human error by removing people from the loop wherever possible and practical. Validate Validation means ensuring the actions taken actually achieved the compliance objectives. Has infrastructure configuration drift been reduced? Has the over-utilization of software licenses been eliminated? This is where you earn the payoff for the care you took in defining your metrics, and for planning for how to capture and analyze those metrics. Validation should be a straightforward exercise of comparing your current-state measurements to the target metrics you previously defined. You don t want, at this stage, to be scrambling to assemble data for validation after the fact. Doing so costs more money, takes more time, and raises the risk of an inaccurate assessment. As with taking action, automated validation can help to cut costs and improve consistency. During validation, take care to identify policy violations that are really exceptions. For example, your server hardening policy might state that FTP must be disabled on all servers. But some servers might have FTP enabled for a valid business reason. In this case, you don t want your compliance fix to get in the way of real work. Exceptions should be documented so they do not repeatedly trigger violation flags during subsequent validation cycles. Continuously Improve By definition, effective compliance requires continuous diligence and improvement. Organizations need to continuously review the effectiveness of their compliance activities. For example, based on the results of the validation step, you may need to revisit your remediation actions to refine processes and/or control policies to more fully achieve the control objectives. Further, continuous improvement goes beyond just meeting compliance goals to ensuring that those goals are met in a cost-effective, sustainable manner. You might, for example, initially meet your infrastructure configuration compliance requirements by hiring 20 temporary workers for two months to manually apply server patches. But by automating that process, you could not only eliminate the extra staff cost, but make it easier to maintain compliance consistently over time. 3

5 Measure and Report The final step in the process is providing external proof that your compliance objectives have been met. During this step, you measure and report on the progress against the objectives defined in the first step. The measurement should be done, to the greatest extent possible, in an automated, consistent, and scheduled way to minimize disruption to users, and to assure consistent and meaningful comparisons over time. A formal communications plan helps ensure that business and technical managers receive the information they need in the form most useful to them, whether that be a detailed report on specific technical changes or a color-coded dashboard highlighting overall progress toward business-level compliance objectives. Depending on the nature of the compliance objectives, this reporting may be done to external auditors or internal business management. In either case, the measurements and resulting information should clearly correspond to the initial goals, and be presented in a format that makes it easy to understand the levels of compliance achieved as well as any remaining gaps. Summary For both legal and business reasons, compliance is not an option but a requirement for the modern IT organization. The risks of financial penalties, lost business, or damaged credibility are too great to ignore. The good news, however, is that the steps that result in effective compliance also deliver the benefits of a better managed IT organization: Lower costs, reduced risk, increased agility, and ongoing improvements in service quality. Those organizations that move most quickly to adopt these best practices in achieving compliance will also be the first to reap business benefits that go far beyond avoiding risk. How BMC Can Help BMC s Business Service Management (BSM) for IT Governance Risk and Compliance solutions help organizations to not only avoid risk, but to do so in a cost-effective and consistent manner. BMC s comprehensive suite of industry-leading BSM tools enable customers to simplify, standardize, and automate their IT operations resulting in substantial value being delivered around the globe. 4

6 Business runs on IT. IT runs on BMC Software. Business thrives when IT runs smarter, faster, and stronger. That s why the most demanding IT organizations in the world rely on BMC Software across both distributed and mainframe environments. Recognized as the leader in Business Service Management, BMC provides a comprehensive and unified platform that helps IT organizations cut cost, reduce risk, and drive business profit. For the four fiscal quarters ended September 30, 2009, BMC revenue was approximately $1.88 billion. Visit for more information. *121164* BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners BMC Software, Inc. All rights reserved.