Making the Audit (cont.)

Pinpointing the Right IT Compliance Strategy

Having greater control and management over your IT infrastructure is important not only to ensure compliance, but also to enable the business to work as an effective, efficient unit across regional or global locations. "Standardizing our global infrastructure enables us to run the business as if it's truly one company worldwide," says Prentice. "Altiris is right at the heart of all this process. It is enabling us to deploy a consistent environment that we call the Steelcase Global Desktop, customized as needed for each business unit. It also drives down the cost of support because everyone's running a similar environment."

Over the next year or so, Steelcase will continue fine-tuning its audit strategy by building a more general compliance framework that will be used to simplify the effort of meeting and maintaining compliance as the business changes.

Chevron - the never-ending audit?

Although it sounds counter-intuitive, another way to fine-tune your compliance efforts is to act as if the auditing process is never ending.

It's a surprising approach, one that energy giant Chevron is adopting to great advantage. Chevron is a global producer of energy products and solutions, with over 60,000 employees in 180 countries around the world.

Rather than creating point-in-time presentations for auditors, Chevron believes the goal of a good compliance strategy should be auditing the natural (and thus on-going) state of the organization.

"We're aiming for a continuous compliance process, where the effort of remediating and cleaning up compliance issues actually dissolves into the fabric of day-to-day activity," says Paul Huttenhoff, manager of implementation for Chevron's Global Information Risk Management Organization. "The key to such a solution is automated measurements and visibility."

Huttenhoff and his colleagues are engaged in a multi-year, multi-million-dollar compliance automation project using Symantec Control Compliance Suite to gain a continuous view of the company's compliance state.

Says Huttenhoff: "We believe that through this compliance automation, we'll have the foundation of data we need to produce audit data whenever it's required, rather than having a whole separate set of activities to create that type of compliance reporting."

Although Chevron is still deploying the system, the results have already been impressive. For example, one of its larger IT groups estimates it is already saving approximately one hour per server per month across its nearly 900 servers. While the resource savings are helpful, the real business benefit for Chevron is risk reduction. "We're improving our risk position by creating greater visibility and enabling better and more accurate reporting," says Huttenhoff. "We've already made immediate improvements in risk. In the first 60 days one of our groups remediated 11,000 individual compliance items just by having this added visibility."

Chevron is planning to extend the system with additional Symantec technology to automate the collection and monitoring and management of procedural controls. "We recognize that automating the technical controls is only part of the overall compliance story," says Huttenhoff.