Paul Prentice, Manager of IT Security and Compliance, Steelcase

Making the Audit

Pinpointing the Right IT Compliance Strategy

No one likes regulation - or do they? More and more companies are finding that compliance activities such as audits can actually guide them to better governance and more efficient operations. In some cases, private companies are willingly complying with regulations that don't legally apply to them. Why? Because they embody a discipline and methodology that results in a better-run organization.

The evolving compliance landscape

Over the years, the IT compliance landscape has evolved from a fairly basic focus on network security and protecting corporate networks from external threats to a much broader range of IT governance issues, including risk management and meeting compliance requirements. In fact, for many organizations, IT compliance has many facets and goes from the data center to the desktop.

Unfortunately, with the broader focus, some companies have found that compliance - related activities take up too much time and resources, and many organizations still rely on inefficient ad-hoc or manual solutions. That's why some are revisiting their IT compliance strategies to see if they can fine-tune them to minimize the effort and resources dedicated to compliance while maximizing the business benefits.

A good place to start is to analyze the potential risks through a risk-based audit program. "A well designed risk-based audit program is vital to increase audit efficiency and effectiveness," says Jorge Rey, information security and IT audit manager with Kaufman, Rossin & Co., a Miami-based independent CPA firm serving international clients. "This will determine the appropriate audit approach and coverage and identify risks and vulnerabilities."

Of course, determining just how to structure your auditing process can be tricky and will depend on the compliance needs you're trying to meet. "The frequency of an internal audit should depend on the potential that a threat will exploit any given vulnerability of a system that can cause loss or damage to the system," notes Rey.

Automating IT controls and processes is another important consideration for organizations to pinpoint their compliance strategy. This can be especially critical for large enterprises that need to deal with a wide range of compliance and auditing requirements.

Steelcase - taking compliance global

Managing IT compliance efforts takes on a whole new meaning when you're trying to do it on a global scale.

Take the example of Steelcase, a global office furniture leader based in Grand Rapids, Michigan. The company operates worldwide and has over 14,000 employees. A key goal for IT over the past few years has been to design and upgrade the company's IT infrastructure, making it easier to conduct business and exchange data globally.

From Sarbanes-Oxley to HIPAA to PCI and the European Union's Safe Harbor, Steelcase must not only comply with different regulatory and business requirements, but do so cost-effectively. That's where Symantec's Altiris product family comes in.

"Compliance requirements have grown rapidly in the last few years, so we've had to pay much closer attention to what we're trying to do worldwide," says Paul Prentice, manager of IT security and compliance for Steelcase. "We've used Altiris to help identify and manage software installed on our users' desktops and ensure it's all been appropriately licensed. We can even use Altiris to remove unlicensed MP3 files or other software from their computers so we're compliant with licensing laws."

In addition to helping Steelcase manage the cost of software license compliance and avoid legal liabilities for unauthorized use, Altiris has also helped automate and manage a range of infrastructure tasks. "We have used Altiris to drive down the cost of license compliance while still maintaining compliance and business goals, as well as managing patches," says Prentice. "Altiris lets us rapidly test and push patches to thousands of devices, and that reduces our risk from threats against new vulnerabilities that come up. We also use it for software distribution, ensuring that users worldwide are getting exactly the software they need."

The solution is a sea change from Steelcase's previous attempts to solve the problem. "With Altiris Patch Manager we're able to do patch management with fewer resources because it only needs one person to manage the process," says Prentice.