In 
In many ways, compliance is the new security. Its a hot-button topic, it isnt going away any-time soon, and there are loads of consultants and vendors trying to make a buck off misunderstandings as well as actual needs.
But, how big a problem compliance represents for IT is altogether a different matter. Thats because IT is a discipline that rewards best practices in the first place. What to do is pretty well understood, while how to do it is what is debated.
Because good IT practitioners are willing to put in a little extra effort to document and verify processes and tasks, they may assume that everything is fine until someone says otherwise. Thats not necessarily the case, as I remember from my first audits as an IT manager.
Compliance and its relationship to governance and risk management is better defined today than ever before, both for the business as a whole and for IT in particular.
Governance, risk management and compliance are often summed up under the GRC acronym. It is a useful umbrella term because the three areas are closely related, and their interests intersect and overlap. The simple fact is that compliance models are driven by the requirements of governance and risk management, and as the attention given to specific concerns will ebb and flow over time, so will the demands placed on IT.
It is also important to remember that compliance is not just a matter of hitting one set of marks. Depending on the nature of ones business, location and structure, there may be multiple layers of requirements that have to be met.
Nevertheless, said Gartner Vice President and Fellow French Caldwell, the reality is that by the point at which these areas affect IT, they tend to harmonise with one another instead of clashing. As an example, he pointed to privacy laws, noting that even with the diversity of cultures and jurisdictions, these laws all follow a common set of principles from which you can derive a standard set of controls..
This extends into other areas as well, and the result is beneficial for both IT and the business as a whole.
Thats because in rationalising controls, one is reducing the audit surface. Caldwell claimed, When organisations get serious about compliance, they can reduce the number of controls by about 30 per cent. This means that they have that much less to audit and maintain, and are reducing the actual cost of compliance by eliminating the overlap between various compliance schemes.
One question that comes up is how IT compliance relates to the overall enterprise compliance effort. Chris McClean, a senior analyst at Forrester Research, believes its helpful to have them coordinated in terms of remediation workflow, reporting and even basic terminology, there are so many different elements of IT risk versus enterprise risk with compliance that you need those subject matter experts to be within those different groups.
In contrast, Caldwell of Gartner sees an enterprise compliance programme and IT playing several roles within that programme.
Compliance in a Box?
Although IT compliance isnt something one can simply buy, there are a number of vendors who offer ways to automate the implementation and verification of required practices. Caldwell argues that the main benefit of enterprise-class GRC management tools is their enablement of this kind of rationalisation of controls. As he puts it, Youve got to get them off of spreadsheets and email, and onto a common set of records.
Some of the best of these tools, whether as standalone packages or integrated with larger enterprise management software, are based on the Unified Compliance Framework (UCF), a joint venture of the Latham & Watkins law firm and the Network Frontiers consultancy.
The UCF is based on the analysis of what are called authority documents in the form of audit guidelines, contractual obligations, laws, standards, and similar instructions or mandates. According to the ventures website, more than 700 of these documents have been distilled into the current version of the framework.
They include the biggest names in compliance and governance frameworks, such as ISO9000, ITIL, SixSigma, and Carnegie-Mellons behemoth Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), as well as another dozen or more major contributors to the discipline, including national and international standards and professional practices.
An obvious advantage of any canned compliance solution when compared with the home-grown approach is that in the former case, the heavy lifting required to reconcile seemingly contradictory requirements is already done. The downside, as Caldwell pointed out, is that providers might not respond as quickly to changes in regulations as one might need.
After all, My software didnt tell me this was wrong is only a slight improvement over The dog ate my homework. Of course, any supplied compliance management system is going to require some tweaking to meet local requirements or implement recent changes in regulations.
Fortunately, IT compliance tools may not be as much of a burden to deploy as one might think. Compliance tools that use the UC Fasa foundation can take the form of a managed software-as-a-service (SaaS) deployment as well as standalone software. For organisations invested in an existing enterprise management system, Caldwell said, the tools may simply take the form of an add-on. It used to be that you didnt have any choice but to put the pieces together, he added, but we now see the large ERP vendors like SAP and Oracle and some of the business analytics.
French Caldwell of Gartner believes that IBM might be the first to close the gap between tools that enable enterprise-wide compliance and those focussed on IT compliance. Vendors like IBM and SAS trying to provide one-stop shopping.
Challenges for IT
Yet enterprise suites dont do a very good job of addressing some of the most important measurements of compliance. Where they fall short is in monitoring IT infrastructure, Caldwell pointed out.
They can monitor IT at the application level but as far as automated monitoring of server configuration controls (and) vulnerability is concerned, they dont have that capability.
The drive for compliance is taking place at the same time that businesses are finishing the most dramatic shifting IT has seen since the shift to client-server processing. Virtualisation may simplify physical infrastructure by offering host consolidation and improved manageability, of complexity to determining whether a given system is in compliance.
So-called compliance tools for virtualisation are for now more about configuration compliance than anything else. They arent any more capable of examining how a virtualised machines and its software are being used than a hardware manufacturers server management tools are.
We are still a few years away from packages that can look at application-level compliance and hardware-level compliance with equal grace, Caldwell said. IBM is probably the closest to closing that gap, he added, thanks to its in-house experience with systems management through its Tivoli line.
In essence, the answer to the question, How do we get compliant? has to be answered with another question: How do you use IT? On one hand, if youre on the edge of the technology curve and an early adopter of new technologies, theres a decent chance that you have your work cut out for you. On the other, if your organisation makes use of well-developed ecosystems such as what one sees in a mature ERP deployment you can expect to find the hooks needed to implement a compliance tool designed to mesh with the rest of the software stack.
P J Connolly is Senior Analyst, eWEEK Labs.
Add new comment