If you haven’t yet been asked ‘The auditors want us to...’ or ‘The auditor suggested...’ or ‘...wants to know how we...’ the likelihood is, you will be soon!

This article is an introductory Guide for IT professionals – an ‘Everything you wanted to know about Compliance’. Those reading this with experience of being audited in the past will learn how to remain compliant with your required standards, making the next round of Audits much more straightforward.

‘Software won’t make your organization compliant’

We’ll start by making the statement that software won’t make your organization compliant - there isn’t any software available that will make your organization compliant, and as you read the rest of this paper you will arrive at the same conclusion. Compliance requires a cultural alignment to compliance at a personnel and process level as well as specific standards of access control and security for IT systems.

Software auditing tools that automate compliance audits by running vulnerability assessments of your network and servers are an essential component in providing a bulk, automated and real-time assessment of your IT systems’ compliance that no human process could ever achieve.

From legislation to measurable practice

As IT has become inextricably linked with the ability of any organization to conduct its business, so it has become the remit of auditors to not just verify that sound accounting practices are being observed, but that sound governance of IT is in place too.

In the case of the US Sarbanes-Oxley legislation (SOX), one of the key objectives that drove the development of the act in the first place was a need to ensure that the kind of financial malpractice evident at the time could not happen again. The SOX act made the executive board directly responsible for the integrity of financial reporting – no “if’s or but’s”, and no turning a blind eye to balance sheet anomalies.

How can this be achieved? There must be no way that any financial reports can be tampered with, adjusted or altered, so that any statement signed off by the Executive Team is verbatim. Since all reports originate and are communicated and stored using IT systems, SOX has a direct bearing on the security and integrity of IT systems.

Similarly, for PCI DSS – the Payment Card Industry Data Security Standard – all cardholder and card data must be protected and this means that the entire IT infrastructure must be secure and ‘locked down’, or in the case of HIPAA, the US Health Insurance Portability and Accountability Act, which requires patient data to be kept private.

The fine detail of exactly what the definition of ‘sound governance’ encompasses will be driven by the particular industry you are in and the scale of your organization – there is a high degree of convergence across the various policies and ultimately a consensus between IT Service Delivery teams and the Auditor that this is all a ‘good idea’.

The challenge is in reaching a consensus over the exact detail of how to achieve compliance, with complicating factors being the potentially high stakes involved (fines for non-compliance, being subject to more rigorous audits in the future, and in the case of PCI, being blacklisted as a payment card merchant, not to mention the corporate shame and scandal as your organization hits the headlines...) coupled with deadlines for audits taking place.

A financial services customer reports being subject to at least five different standards for compliance. These are a mixture of US and UK/European regulatory body standards, plus PCI DSS plus their own internal company standards of IT security. They are always being audited...

Summary

As an introduction, we have barely scratched the surface of the subject of compliance audits, configuration standards, security policy and IT governance but will cover these other aspects in future articles.

Products
USA Offices
New Net Technologies Ltd
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
emailUSinfo@nntws.com
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans

Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
emailinfo@newnettechnologies.com
NNT Newsletter
Sign up to receive our monthly newsletter covering breaking security news, how-to-tips, trends and commentary directly to your inbox.


We strongly advise NNT Customers and Partners to sign up for our Product Updates Mailing List to receive information on software updates and new product features.

Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Copyright 2017, New Net Technologies Ltd. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies Ltd.
All other product, company names and trademarks are the property of their respective owners.