When the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA) and the PCI Data Security Standard first came on the scene, few organizations were willing to invest in being the first to meet regulatory compliance requirements. Most sat back and observed others in an effort to judge the cost of becoming compliant. Now those organizations are being forced to address the details of their respective compliance requirements. But many are making a common mistake. They often refuse to implement fixes to the way they do IT business, or they address the symptoms that result from bad or nonexistent business processes, and continue a cycle of inefficiency. You can prevent your customers from making these common mistakes by building a process around three general questions.
- What is the scope?
By defining the scope of the requirements, an organization can limit the compliance requirements' impact. If only one computer on a system deals with financial reports, for example, then technological measures for SOX compliance can be limited to just that one machine.
- What is the framework that will define the controls?
IT controls are in place to protect assets and ensure networks run efficiently. COBIT is an example of an IT governance framework that makes sure an organization assembles the appropriate people, processes, and technologies to secure and maintain a network. There are several frameworks that an organization can pick for its specific needs. If used as a framework, COBIT will satisfy the requirements for SOX and almost all other regulations, but there is a high cost of ownership.
- Who should own the process of building the framework?
To establish a successful IT governance framework, the customer's decision makers must understand the value IT governance offers, and this should be presented in tangible business terms. After all, how many companies do you know make decisions based on the principle of altruism? An IT governance framework must be presented as a good business plan that will help the organization in the pursuit of its financial goals. The most successful compliance initiatives have a clear leader who is empowered to take on the responsibility of building the IT governance framework. This person must also be able to simultaneously reach across organizational verticals to foster a feeling of consensus among people, policies and technologies, and synthesize the business and compliance concerns of a successful IT governance framework.
Generally, the major players in decision making for an IT governance framework are:
The Executive Team -- Since policy and procedure decisions often come from the top down in an organization, the executive team must support the IT governance framework plan. They will often be responsible for providing a budget, and articulating and approving business plans.
The IT Department -- The IT department must be capable of deploying the IT governance framework as it applies to them, be able to quantify risks and benefits of the approach they take to meeting the IT governance framework, and participate in accounting for the dynamic nature of tactical security concerns.
Legal -- The legal team is integral in advising the organization on legal and compliance requirements.
HR -- HR sets the tone within the organization in order to support the IT governance framework since HR policies and procedures such as EUAs, background checks, hire and fire policies, and training must be aligned with the IT governance framework policies.
It can be difficult to convince an organization to use IT governance frameworks. Taking a comprehensive IT framework and retrofitting it into an organization can be painful, costly and time consuming, since it needs to be fully implemented every time. In order to meet with success, you and your customer should approach the compliance issue well prepared. Determine what the business drivers are -- whether they are SOX, PCI, or other compliance requirements. Check recent audits and try to understand the root cause of deficiencies. Establish which framework would ensure that the enterprise remains compliant in the future, and then mange the framework implementation as a major project -- with participation and buy-in from all the major stakeholders. Last but not least, budget the appropriate resources to do the job.
About the author
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry. Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.
