IT Security Compliance: What are the Critical Success Factors?
In recent times there has been significant growth in the intensity and complexity of legislation and regulation that relates to corporate governance. The US Sarbanes-Oxley Act has driven those companies that are quoted on the New York Stock Exchange into a detailed re-evaluation of their procedures for managing and reporting audit information. Similar regulation has been introduced for companies quoted on the London Stock Exchange. The effects of this regulation has not been confined to those organizations directly impacted. Because a business is expected to show due diligence in the management of all of its audit-related information it will need its business partners, particularly those with whom it has network connections, to meet the same stringent requirements.
An IT department has to move forward from the current service delivery focus to an extended due diligence perspective. This means higher costs to sustain audits and evidence collection and to satisfy compliance with standards and regulations. Based on market surveys and Symantec experience, those IT departments that want to manage the IT security compliance effectively should consider the following critical success factors:
• Establish the real compliance needs by performing a good assessment of regulatory standards and best practices that impact the IT organization and then define the compliance strategy accordingly.
• Adopt a well-defined compliance framework, establishing processes and procedures to assure a continuous compliance management instead of a very expensive and time consuming “on-demand reporting approach.”
• Increase frequency of audits, investing in automatic solutions that enable organizations to execute technical and organizational controls effectively, reducing the time spending by IT operational staff on compliance.
In order to help meet these complex challenges and the high cost of security compliance, Symantec has developed a comprehensive Enterprise Compliance Program based on a well defined processes framework divided into three main phases:
• Define. Organizations should begin the compliance path by analyzing the compliance needs and defining the overall compliance strategy. Many companies have to comply with multiple regulations or simply want to adopt several standards and best practices to satisfy the corporate governance rules. In these cases it is essential to establish a policy system that translates the compliance statements into very clear and auditable controls.
• Control. Following a defined compliance strategy, the program should establish an effective IT security internal controls system. Formal processes that are in place should guarantee a continuous management of this controls system, from the “control definition” process to the “control improvement” activities. Every change in policy statement, strategy, or scope could imply a new or revised IT Security control. This phase is essential to reduce the effort and the complexity to meet compliance requirements.
• Govern. Compliance management does not mean simply generating reports, but rather identifying the non-compliance items with the aim to manage them promptly. Essentially a good compliance framework should address a set of core processes related to the entire compliance life cycle: from control execution to the remediation planning.