The strategy for employing the army is not to rely on their not coming, but to depend on us having the means to await them. Do not rely on them not attacking, but depend on us having an unassailable position.
Gone are the days when you can hope that auditors won’t come a-knocking. Because of Sarbanes-Oxley (SOX) and other sweeping regulations, auditors have a permanent seat at the executive table—alongside the divisional managers, who want to know when you’re going to get to their projects, and the CFO, who wants to know where all of the IT dollars are going.
Of all of the burdens on IT, compliance has taken a forefront recently—and it won't go away. But neither does it remove the many complex needs of the enterprise. IT leaders must find a way to integrate compliance into the panoply of corporate needs. Simplification, alignment, and unification of heterogeneous standards and requirements are the keys.
Anticipating Chaos and Corporate Inquisitions
Companies do not seek chaos; nor are they led astray by greed, ineptitude, or stupidity. Chaos is simply the consequence of forces and conditions that segregate and diversify complex compliance efforts over time and across the distributed organization.
Choices—which standard to follow, which control to implement, which priority to choose—can all lead to IT diversification. And, as if that weren't enough, regulatory creation, definition, and clarification never cease.
On the other hand, SOX audits, periodic budget reviews, and other regulatory filing deadlines all recur with adamant regularity. External auditors come around at least once a year—if not quarterly—to sample transactions, query staff, and scrutinize reports. And budget committees can be similarly exacting and persistent.
The challenge is daunting: how can IT compliance managers maintain compliance norms in a highly variable environment? one answer is to cultivate a unified compliance environment that encompasses the challenges you know and anticipates the challenges you don't.
In broad strokes, unifying the IT compliance environment should begin with a survey of the compliance landscape, focus heavily on standardization and unification of control objectives, and provide the latitude to bring new control objectives and deviant intiatives into alignment as they arise.
Elements of Unification
Identifying opportunities to standardize and unify compliance efforts offers tactical and strategic benefits. The specifics of any company's compliance environment will vary by business, market, and industry; however broad-stroke alignment occurs across:
- Zones of IT compliance responsibility
- Regulatory guidance for IT controls
- Business requirements for IT controls
- Available frameworks and standards for IT controls
Most unnecessary compliance spending occurs in the overlap of controls within these areas—for example, redundant development of technical security controls for SOX, HIPAA, Gramm-Leach-Bliley (GLB), and payment-card processing systems. Each identified overlap is an opportunity to apply a single control across multiple requirements.
Tying control unification to one or more available control frameworks, such as ISO 17799, CobiT, the new Payment Card Processing standard, and HIPAA standards allows companies to tap into established best practices and streamline internally defined controls. Since recent PCOAB guidance encourages SOX auditors to recognize that high-level controls can establish the validity of contributing controls, using the hierarchical design of established IT frameworks could also significantly streamline the auditing process. Moreover, because frameworks such as CobiT and ISO 17799 offer recommendations beyond company's defined needs, they essentially comprise a reservoir of controls that compliance maangers can tap as the need arises.
The benefits of unification are potentially enterprise-wide. They include less redundant development, standardized measurement and reporting, and shorter implementation times. Unification efforts that incorporate business requirements for controls (payment-card processing standards, for example) can also indicate ways to bundle unfunded business projects into compliance efforts, without significantly increasing total project cost. At the corporate level, unification draws executive attention to high-level IT oversight, which can earn IT compliance leaders a larger role in strategic planning.
Finally, unification offers tangible cost savings. According to a May 2004 report by industry analyst Gartner, Inc., public companies adopting a compliance management architecture will spend up to 50 percent less on compliance by 2006 than companies without one. This could translate to millions of dollars for both accelerated and non-accelerated filers.
Pre-fab Paths to Enlightenment
Currently, unification efforts are in the works at several organizations, including the Information Systems Audit and Control Association (ISACA), the Information Systems Security Association (ISSA), and the Workgroup for Electronic Data Interchange (WEDI). Most of these projects address a specific area of compliance, such as security or health information protection.
Companies shouldn't have to choose between compliance imperatives and business goals. Standardizing and simplifying IT frameworks and unifying compliance goals at the control level reduces the likelihood that they'll have to.
- Information Systems Audit and Control Association (ISACA) and CobiT
- Information Systems Security Association (ISSA)
- ISO 17799: 2000, Information Technology—Code of Practice for Information Security Management from the International Organization for Standardization
- Public Companies Accounting Oversight Board (PCAOB)
- US Department of Health & Human Services Office for Civil Rights Health Insurance Portability and Accountability Act (HIPAA)
- US Securities and Exchange Commission (SEC) Spotlight on: Sarbanes-Oxley Rulemaking
- Workgroup for Electronic Data Interchange (WEDI)
This article originally appeared at itcinstitute.com. Copyright 2008, 1105 Media Inc. Reprinted with permission.