A strategic approach to regulatory compliance (page 1 of 2)

For example, the emergence of email as critical evidence in litigation has increased liability for companies that do not have sound retention strategies in place. And measuring and reporting on IT internal controls pose an additional challenge in the age of the Sarbanes-Oxley Act.

Although the term "compliance" means something different to every company, the intent of multiple regulations across industries has a core commonality: to ensure the security, availability, and ultimately the integrity of corporate information. While many enterprises have approached compliance as a one-time event or on a per-regulation basis, this article will argue that organizations must begin to address compliance from a strategic perspective -- one that mandates a proactive and holistic approach to building a comprehensive set of capabilities in security and availability. A strategic approach can go beyond the regulatory environment and help companies improve overall security and availability of information assets, reduce operating costs, and increase the quality of IT service throughout the enterprise.

Roadblocks to compliance

As most enterprises know, ensuring the integrity of information comes with multiple IT challenges, which in turn create roadblocks to sustaining IT compliance over time. These include:

• Complexity. Due to increased levels of merger and acquisition activity in recent years, IT infrastructures have become a complex maze of heterogeneous hardware and software. In addition to technological complexity, IT executives are also responsible for interpreting the IT requirements for multiple global regulations.

• Manual processes. Federally mandated processes inevitably are supported by personnel who manually aggregate information, assess status, address shortcomings, and pull together reports. This is a costly and error-prone methodology that is not easily repeatable.

• Lack of standardization. Inconsistent processes across business units and geographies create fragmented efforts involving multiple ways of testing, measuring, and reporting on the same IT control. In an October 2004 internal controls survey conducted by Ernst & Young, LLP, nearly one third of the organizations surveyed were testing more than 1,000 controls, predominantly among organizations greater than $5 billion in revenue.

A strategic approach to compliance

To achieve and sustain real IT compliance, Symantec recommends that enterprises take a three-step approach: assess their current compliance posture, establish IT controls, and sustain IT compliance.

• Assess the current compliance posture. The first step involves planning, in order to understand the scope of the effort needed. To obtain this information, companies must dig into their processes and technologies to inventory the IT environment, as well as understand how internal/external risks and threats affect critical business processes. This effort includes mapping assets to compliance requirements; performing a gap analysis (i.e., the necessary IT controls to meet compliance and business requirements must be tested to identify security and availability weaknesses); comparing current IT controls with industry standards (such as ISO 17799); and creating an action plan.

• Establish IT controls. Based upon the risk assessment, gaps in the IT control structure must be closed by implementing the necessary IT controls to create a secure, available, and resilient infrastructure.