Waiting for the auditor

Continuous compliance is the only way to mitigate the huge business risk and escalating costs associated with multiple compliance audits, argues Paul Gostick.

Compliance spend may continue to rise year on year but there has been no attendant increase in compliance confidence. The majority of compliance officers are all too well aware of the presence of gaps and holes in IT systems, often created by unauthorised changes, which can rapidly undermine the compliant status.

Indeed, for many organisations, compliance has become little more than a box ticking exercise that attempts to deliver a compliant organisation at one point in time. Yet change to the business and IT infrastructure is both rapid and constant – and an essential component of development and growth.

As a result each audit process is fraught with problems. Compliance officers know without any doubt that a manual check by auditors could well reveal some breach or compliance problem that requires further, highly expensive, investigation. The result is increasing audit costs and a growing risk of major compliance failure – with attendant fines and negative publicity.

With the compliance burden increasing year on year, organisations cannot maintain their reliance on the ‘after the fact’, manual audit process; it is neither effective nor efficient. Automation has to be introduced into the process to drive down both cost and risk. It is only by creating a continuous compliance process that leverages real time monitoring to highlight changes that could take the infrastructure into a non compliant state that any organisation will be able to effectively achieve multi-standard compliance in the long term.

Onerous business
The increasing compliance burden is affecting all but the smallest businesses. From data protection to Sarbanes-Oxley and the new Payment Card Industry (PCI) Data Security Standard, regular compliance audits are becoming a familiar – and onerous – component of day to day business.

And while the majority of organisations have invested heavily in processes and systems designed to achieve compliance, most organisations approach compliance as an event rather than an ongoing requirement for the business. As a result, an audit often throws up a surprise breach or two that can result in fines and the need for immediate remedial IT activity.

The problem stems from the very reactive nature of the compliance process. Most organisations are unable to monitor whether or not the infrastructure remains compliant in real time. There is no way of checking whether or not policies for authorised access or data quality have been maintained until the manual audit is undertaken. It is only investigation after the fact during the audit that potential breaches are revealed, prompting a more expensive, in depth audit process.

It would, of course, be fairly straightforward to keep a static environment compliant. But change is continuous and essential to support business growth. Furthermore, despite excellent compliance policies and change management procedures, organisations know that unauthorised changes to systems occur – often on a daily basis – as individuals opt to work around what are often perceived to be arduous corporate procedures. Indeed, one organisation recently discovered 60,000 unauthorised changes on its IT systems despite having stringent change management processes in place.

Such changes are not only responsible for an estimated 80 percent of system failures but, critically, each and every unauthorised change can potentially breach regulatory compliance, leaving an organisation wide open to fines and other punishments. Furthermore, unknown changes introduce unknown risks to the business – and unknown risks cannot be managed.

As regulatory demands increase, it is becoming rapidly apparent that massive investment in up front compliance consultancy and systems may be critical but is not enough to attain and maintain a compliant state. Without real time monitoring to manage system change, organisations have little or no chance of maximising that investment to remain compliant and avoid an expensive, uncomfortable audit process.

Confirmed position
If organisations are to mitigate the risks associated with on-going system changes that create compliance breaches they need to evolve beyond a reliance on the manual, after the fact, audit process and embrace automation. It is only by monitoring the IT infrastructure against a compliant ‘baseline’ state that an organisation can see in real time if changes have occurred – from unauthorised access to data change – that could lead to a policy breach.

The first step to achieving continuous compliance is to assess the current IT infrastructure stack’s level of compliance to specific regulatory requirements, such as the PCI Data Security Standard and Sarbanes Oxley. This assessment will either confirm compliance or provide a gap analysis highlighting current areas of potential breach.

Once addressed, real time monitoring continuously checks the infrastructure to ensure compliance is sustained. Changes are assessed, both against those logged in the change management database and the compliance requirements, and IT staff are immediately alerted to any unauthorised changes. Furthermore, by integrating monitoring tools with remedial tools, the organisation could immediately roll-back the system to the pre-change state to regain compliance status if required.

Audit process
As well as reducing the risk of compliance and data breaches, configuration auditing and control technology can also reduce the audit cost by providing a full audit trail of every system event – from unauthorised access attempts onwards. The complete visibility of every change provides auditors with rapid insight into both the compliance policies and the level and effectiveness of enforcement.

Of course, such technology in no way removes the need for regular audits. The third party audit process will continue to be a core component of governance. However, the provision of an automated audit trail will undoubtedly simplify the audit and, critically, minimise the dangers of expensive, unexpected events coming to light during the process.

The result is not only a significant reduction in corporate risk associated with sliding out of compliance but also a drop in the on-going audit costs.

Take control
As the regulatory burden grows, organisations cannot afford to be intermittently compliant as they are today; the risks are too great and the costs of manual audits too high. Furthermore, does it really make sense to wait for the audit process to confirm compliance? This process is critical to sustained corporate viability; organisations need to take control of the infrastructure today to mitigate the risks associated with constant IT change.

By embracing automation to deliver continuous compliance, organisations can not only begin to reverse the trends of escalating compliance costs but, critically, attain control over the IT environment to minimise the dangers and risks associated with compliance breach.

Paul Gostick, is marketing manager, Tripwire.

•Date: 12th October 2007• Region: World •Type: Article •Topic: Operational risk
Rate this article or make a comment - click here