If you haven’t yet been asked ‘The auditors want us to...’ or ‘The auditor suggested...’ or ‘...wants to know how we...’ the likelihood is, you will be soon!

This article is an introductory Guide for IT professionals – an ‘Everything you wanted to know about Compliance’. Those reading this with experience of being audited in the past will learn how to remain compliant with your required standards, making the next round of Audits much more straightforward.

‘Software won’t make your organization compliant’

We’ll start by making the statement that software won’t make your organization compliant - there isn’t any software available that will make your organization compliant, and as you read the rest of this paper you will arrive at the same conclusion. Compliance requires a cultural alignment to compliance at a personnel and process level as well as specific standards of access control and security for IT systems.

Software auditing tools that automate compliance audits by running vulnerability assessments of your network and servers are an essential component in providing a bulk, automated and real-time assessment of your IT systems’ compliance that no human process could ever achieve.

From legislation to measurable practice

As IT has become inextricably linked with the ability of any organization to conduct its business, so it has become the remit of auditors to not just verify that sound accounting practices are being observed, but that sound governance of IT is in place too.

In the case of the US Sarbanes-Oxley legislation (SOX), one of the key objectives that drove the development of the act in the first place was a need to ensure that the kind of financial malpractice evident at the time could not happen again. The SOX act made the executive board directly responsible for the integrity of financial reporting – no “if’s or but’s”, and no turning a blind eye to balance sheet anomalies.

How can this be achieved? There must be no way that any financial reports can be tampered with, adjusted or altered, so that any statement signed off by the Executive Team is verbatim. Since all reports originate and are communicated and stored using IT systems, SOX has a direct bearing on the security and integrity of IT systems.

Similarly, for PCI DSS – the Payment Card Industry Data Security Standard – all cardholder and card data must be protected and this means that the entire IT infrastructure must be secure and ‘locked down’, or in the case of HIPAA, the US Health Insurance Portability and Accountability Act, which requires patient data to be kept private.

The fine detail of exactly what the definition of ‘sound governance’ encompasses will be driven by the particular industry you are in and the scale of your organization – there is a high degree of convergence across the various policies and ultimately a consensus between IT Service Delivery teams and the Auditor that this is all a ‘good idea’.

The challenge is in reaching a consensus over the exact detail of how to achieve compliance, with complicating factors being the potentially high stakes involved (fines for non-compliance, being subject to more rigorous audits in the future, and in the case of PCI, being blacklisted as a payment card merchant, not to mention the corporate shame and scandal as your organization hits the headlines...) coupled with deadlines for audits taking place.

A financial services customer reports being subject to at least five different standards for compliance. These are a mixture of US and UK/European regulatory body standards, plus PCI DSS plus their own internal company standards of IT security. They are always being audited...

Summary

As an introduction, we have barely scratched the surface of the subject of compliance audits, configuration standards, security policy and IT governance but will cover these other aspects in future articles.

The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.