Compliance demands a technology toolbox

By Hannah Smalltree, News Writer 01 Aug 2006 | SearchDataManagement.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Companies are looking to technology to prove that they are compliant with Sarbanes-Oxley (SOX), Europe's Basel II, HIPAA and a host of other industry- and country-specific regulations. Ultimately, automating compliance efforts should lead to a company's being able to legally defend how it's managing and protecting information, according to James Kobielus, principal analyst with Sterling, Va.-based Current Analysis Inc. Companies should consider how their processes and infrastructure will stand up to "forensic analysis," he said.

"You don't want your CEO to end up in jail, so you need to be able to build a case and defend it convincingly," Kobielus said. "Compliance ultimately comes down to governance of internal processes. That workflow and the underlying audit trail are your last line of defense against prosecution."

Despite big promises from vendors, analysts agree that automating regulatory compliance requires more than one kind of software or technology tool. It takes an infrastructure of data and process management software to effectively comply with regulations.

This year, companies will spend 10% to 15% of their IT budgets on compliance efforts, according to Stamford, Conn.-based Gartner Research Inc., and U.S. companies will spend more than $1.9 billion on technology for SOX compliance, according to Boston-based AMR Research Inc. Companies should look beyond finance department tools or software bearing the SOX compliance label, according to Michael Rasmussen, vice president with Cambridge, Mass.-based Forrester Research Inc.

"Compliance efforts should really be distributed throughout an organization," Rasmussen said. "Sarbanes-Oxley is a driver today, but in reality there are a lot of other compliance initiatives which will require a common management infrastructure."

On the positive side, though, compliance requirements may drive companies to fund much-needed updates to their processes and data management infrastructures, according to John Hagerty, vice president of research with AMR.

"The No. 1 side benefit of automating compliance activities is that you also streamline and standardize business activities. Technology reduces ambiguity, makes processes cleaner and makes you more efficient," Hagerty said.

Critical components of a compliance technology toolbox

• Information and application security: Protecting and securing information is the bottom-line requirement of many regulations and tends to be the biggest concern of IT groups working on compliance initiatives, Hagerty said. Tools for intrusion detection, encryption, and information and application security are essential for any compliance effort, he added.
• Identity and access management: All compliance mandates require control over access to sensitive information, Kobielus said. These tools provide user authentication, authorization and role-based access controls.
• Configuration and change management: Most regulations also require companies to lock down the configurations of critical software assets in order to maintain security and access controls, Kobielus said. Change management tools are important for allowing IT to maintain control over internal systems.
• Controls automation or continuous monitoring: This software acts as a "checks and balances" system governing compliance-impacting processes, Hagerty said. For example, it might continuously monitor finance systems to ensure that all invoices over $10,000 are reviewed by a supervisor before being paid. Then the tool would generate an alert if an employee were to skip a required step.
• Business process management (BPM): Regimented, auditable workflows are a requirement of many regulations, including SOX, Hagerty said. Compliance requires the rigid documentation and enforcement of processes. BPM software helps create, manage and monitor the execution of processes, he said.
• Governance, risk and compliance management: These tools are commonly associated with SOX compliance and help companies create and document corporate policies, according to Hagerty. They help manage the general rules that govern a company's operations and provide a compliance framework.
• Document and records management: Most regulations dictate what information a company must keep and for how long, Hagerty said. Some of these tools just manage the rules and policies for document storage, while some act as actual document repositories.
• Business intelligence (BI) and corporate performance management (CPM): Fundamentally, compliance is about reporting, and reporting is the core of BI, Kobielus said. Analysts agree that BI features such as reporting, scorecarding, dashboards and analytics help companies uncover and react to issues that could affect compliance. CPM tools that manage internal activities also help companies stay on top of compliance-related efforts.
• Data management essentials: A solid data management strategy should be at the core of any compliance effort, Kobielus believes. A data warehouse and data quality tools are critical for integrating information and cleansing it for financial reporting. And, master data management ensures consistency and accuracy -- both compliance fundamentals, he said.
• Professional services: It's difficult to understand compliance requirements, Kobielus said. So -- just as one might look to a tax professional to explain the tax code -- compliance professionals are almost essential for interpreting different regulatory requirements.

Prioritizing compliance software investments

The list of compliance-supporting technologies can look a lot like a sophisticated data management infrastructure, so where does a company with limited time, money and people start investing?

It's about narrowing down the scope of efforts and focusing on the most important data and processes first, Hagerty said. Initial SOX-compliance efforts were prone to overkill and exaggerated responses, he said, owing to lack of guidance from governing bodies and understandable fear of potential repercussions.

"In the absence of guidance, folks assumed the worst and did the most," Hagerty said. "Now people are reducing their scope and asking what activities are really related to compliance."

That means assessing where the real problems lie, prioritizing efforts, and synchronizing compliance automation plans with data management roadmaps, Hagerty said.

It also means that companies should be discerning when it comes to purchasing compliance software. Some companies have run into unexpected scalability problems or found that a product doesn't help them as much as they thought it would, Forrester's Rasmussen said, adding that it's critical to really understand the requirements of regulation and do a proof of concept.

"There's a lot of confusion, bad marketing and messaging happening out there," Rasmussen said. "Read the regulations, try out the product, and find out whether it will really help do what's required."

This article originally appeared on SearchDataManagement.com.

Tags: Enterprise Data Governance,  Sarbanes-Oxley Act,  Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions M86 buys Web security gateway vendor Finjan McAfee survey finds faults in midmarket enterprise security Cisco acquires SaaS security vendor ScanSafe Email archiving vendor sues Gartner over Magic Quadrant Analyst calls Barracuda-Purewire deal proof of cloud dominance Barracuda acquires Purewire expanding Web security reach McAfee, Verizon Business partner to develop cloud security services Security vendors can learn from ConSentry Networks demise Security on a budget: How to make the most of authentication tools 2009 Information Security magazine Readers' Choice Awards

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary