If you haven’t yet been asked ‘The auditors want us to...’ or ‘The auditor suggested...’ or ‘...wants to know how we...’ the likelihood is, you will be soon!
This article is an introductory Guide for IT professionals – an ‘Everything you wanted to know about Compliance’. Those reading this with experience of being audited in the past will learn how to remain compliant with your required standards, making the next round of Audits much more straightforward.
‘Software won’t make your organization compliant’
We’ll start by making the statement that software won’t make your organization compliant - there isn’t any software available that will make your organization compliant, and as you read the rest of this paper you will arrive at the same conclusion. Compliance requires a cultural alignment to compliance at a personnel and process level as well as specific standards of access control and security for IT systems.
Software auditing tools that automate compliance audits by running vulnerability assessments of your network and servers are an essential component in providing a bulk, automated and real-time assessment of your IT systems’ compliance that no human process could ever achieve.
From legislation to measurable practice
As IT has become inextricably linked with the ability of any organization to conduct its business, so it has become the remit of auditors to not just verify that sound accounting practices are being observed, but that sound governance of IT is in place too.
In the case of the US Sarbanes-Oxley legislation (SOX), one of the key objectives that drove the development of the act in the first place was a need to ensure that the kind of financial malpractice evident at the time could not happen again. The SOX act made the executive board directly responsible for the integrity of financial reporting – no “if’s or but’s”, and no turning a blind eye to balance sheet anomalies.
How can this be achieved? There must be no way that any financial reports can be tampered with, adjusted or altered, so that any statement signed off by the Executive Team is verbatim. Since all reports originate and are communicated and stored using IT systems, SOX has a direct bearing on the security and integrity of IT systems.
Similarly, for PCI DSS – the Payment Card Industry Data Security Standard – all cardholder and card data must be protected and this means that the entire IT infrastructure must be secure and ‘locked down’, or in the case of HIPAA, the US Health Insurance Portability and Accountability Act, which requires patient data to be kept private.
The fine detail of exactly what the definition of ‘sound governance’ encompasses will be driven by the particular industry you are in and the scale of your organization – there is a high degree of convergence across the various policies and ultimately a consensus between IT Service Delivery teams and the Auditor that this is all a ‘good idea’.
The challenge is in reaching a consensus over the exact detail of how to achieve compliance, with complicating factors being the potentially high stakes involved (fines for non-compliance, being subject to more rigorous audits in the future, and in the case of PCI, being blacklisted as a payment card merchant, not to mention the corporate shame and scandal as your organization hits the headlines...) coupled with deadlines for audits taking place.
A financial services customer reports being subject to at least five different standards for compliance. These are a mixture of US and UK/European regulatory body standards, plus PCI DSS plus their own internal company standards of IT security. They are always being audited...
Summary
As an introduction, we have barely scratched the surface of the subject of compliance audits, configuration standards, security policy and IT governance but will cover these other aspects in future articles.