Making the Audit (cont.)

Pinpointing the Right IT Compliance Strategy

Don Young, Director of IT Infrastructure, AMERICAN SYSTEMS

To take their system to the next level, Chevron will round out its automation of technical controls through automated collection of information surrounding the procedural activities that are part of the compliance process. "The compliance architecture of the technology solution is sound. We expect it will ultimately scale up to close to 10,000 servers," says Huttenhoff. "The end result is that it takes compliance burdens off the radar and pushes them down into the day-to-day operations. But the real benefit is that it allows the business to focus on producing energy, not on compliance."

AMERICAN SYSTEMS - compliance for private companies

One of the benefits of being a private company is freedom from regulations. So why would a private company voluntarily comply with SOX and other regulations?

"We have a directive from our CIO, Brian Neely, to implement a compliance strategy," says Don Young, director of IT infrastructure for AMERICAN SYSTEMS, an employee-owned IT services company of 1,500 headquartered in Chantilly, Virginia. "If it's good enough for the big publicly traded corporations, it can't be bad for us."

The result has been a process of implementing business-focused and IT audits once a year - both done by outside auditors.

Even though, as an employee-owned, privately held organization, AMERICAN SYSTEMS isn't required to address the same regulatory compliance issues that larger companies need to, the firm's business and IT leadership feels it can leverage the best practices resulting from compliance requirements such as Sarbanes-Oxley and COBIT to make the company's organization more effective and efficient.

That might seem like a tall order for Young's IT infrastructure group, since it only has nine people to manage the entire infrastructure - servers, switches, firewalls, routers, intrusion protection, security, backups, and all. But this lean team balances new compliance and auditing requirements with all the traditional day-to-day operations needs as well as strategic planning to meet new business requirements.

How? For Young, an important component of building a winning IT compliance strategy is automating processes wherever possible and using technologies - including ones from Symantec - to help monitor and document important IT and end-user processes.

For example, AMERICAN SYSTEMS has had an enterprise-wide deployment of Symantec BindView bv-Control for several years and is about to upgrade to Symantec Control Compliance Suite. The products are particularly helpful for pinpointing potential compliance issues. "We use a lot of Symantec's reporting capabilities, such as being able to identify failed users and failed machines, and running compliance reports," says Young. The result is not only better compliance, but increased productivity and lower audit preparation costs for the IT group.

AMERICAN SYSTEMS has also found that the right reports and automation can also make the yearly audits easier. "This year, when we did our audit, I was able to generate reports as evidence that we were indeed doing what we say we're doing and the outside auditors accepted those," says Young. "Next year, I hope to be able to hand them a stack of papers when they come in and have them approve them without requiring any additional questions."

Looking forward, AMERICAN SYSTEMS is excited about the next generation of Symantec Control Compliance Suite. "Symantec Control Compliance Suite 8.5 has new features that deal with policy management and the entitlement report," notes Young. "I certainly like the idea of being able to put my policies in and map them to existing sets of controls, making sure I have accounted for all those Sarbanes-Oxley-type areas and all the different frameworks we want covered." After upgrading to 8.5, Young plans to build a schedule of compliance checks and set up a compliance dashboard.

Getting smart with IT compliance

While there are probably as many ways to ensure that you're in compliance as there are ways to be out of compliance, smart organizations have learned that there are a number of strategic actions they can take to fine-tune their compliance efforts - saving them time, money, and staff time.

"A couple of years ago, companies thought of IT as a competitive advantage. Today, competitive advantage is how organizations manage their IT-related risks," says Rey. "Through different events, we've seen companies that don't address risk and IT risk as part of their operational procedures will probably grow more slowly, be less profitable and might even disappear."

By increasing the frequency of audits, automating IT management and controls, and establishing and measuring objectives, organizations can fine-tune their compliance efforts. Not only will such steps reduce compliance costs, complexity and security risks, but over time, they'll enable good governance and make any company more competitive.