The verdict is in: the more an organization adheres to a policy of maintaining controls for its technology assets, the more likely it's running a well-oiled IT shop. In other words, good controls can be good for your company. Building in controls for every asset within the company forms the foundation for a program by which the company can seize the reins of the IT compliance audit - essentially making compliance a routine part of doing business.
Between external audits, SOX audits, regulatory audits (such as Mastercard/Visa's PCI), and business-partner audits, many enterprises face the challenge of being under an almost continuous audit cycle. The issue is that each audit has a different scope - different systems, different requirements, different timeframes. With the recent focus on Sarbanes-Oxley preparation, companies have come a long way in documenting controls and standardizing on control environments. Now these companies need to put a system in place to take control of the audit themselves, working with the auditor in a preparatory phase to eliminate risks of failure and thereby eliminating the "unbounded audit."
Policy is Prime
As one of your company's compliance strategists, you already know that policy is step one in any security and compliance program. Policy management, therefore, as the foundation of the compliance program, becomes an object of worthy study to streamline and strengthen. Easing the burden of policy management will yield a stronger core to the compliance program, enabling the organization to communicate and enforce policy across the enterprise. This means the policy management processes within the organization must be robust and firm, but flexible enough to meet business requirements.
· Content is key: Policies must support long-term business objectives and be broad enough to set the tone of the organization. Standards must be rigorous enough to promote well controlled environment, yet be flexible enough for practical implementation. Controls must speak in a language targeted to the audience, whether the audience is a business representative, a process owner, or a technical professional.
· Communication, communication and more communication: Communication and awareness programs must educate employees with practical, tangible examples to make the relationship between controls and business processes real.
· Authority enables enforcement: Policy must have teeth to it to truly impact the organization. Executive support and input are essential to building a strong compliance foundation.
Policy, along with its supporting standards and control documentation, is the front line from an IT audit perspective. This documentation is the first view an auditor has into the organization. Before any testing happens, most IT audits will review documentation to evaluate the overall design of controls within the environment. To ensure a successful review, the policy must be relevant, consistent with corporate objectives, and capable of truly impacting the organization. The key to this is to integrate content with management processes that will keep policy alive in the organization and not let it collapse into an antiquated, outdated administrative overhead.
Your Management System
You're already halfway there if your organization maintains a compliance knowledge-management system that centralizes control documentation. Another plus is if the company has adopted a system built around an industry-accepted framework of controls. With Sarbanes-Oxley, many companies have built a collection of controls that sits somewhere between the internal audit function and the IT department. However, this valuable collection of controls is neither comprehensive for the full company nor easily transferable to other regulatory compliance requirements.
"Comprehensive" is the keyword. The organization's controls should be based upon a library of policies, standards and controls from an authoritative, experienced source of control information. An example of this would be validated audit controls utilizing established industry frameworks such as COBIT, ISO:17799 or, even better, a library of customized controls from a highly creditable source tailored to your business context. Control documentation should include consistently documented controls for all of the company's major operating systems, databases and network devices. Note, too, that centralization of control information is a must for a consistent approach across any enterprise. Centralization eases modes of communication, eliminates the risks of having outdated control documentation impacting mission-critical data, and allows the company to disseminate information much more quickly.
The next step to controlling the audit is to structure your content in such a way that you can present different views of that content to the compliance auditor. Controls need to be structured to be flexible and workable, so that they can be mapped into different contexts (regulations, control frameworks, roles in the company, etc). Policies, standards and controls, when designed as flexible "chunks," allow the organization to be more agile when responding to different requests or requirements during the audit process. Having the ability to see what controls you have in place for specific regulations or in the context of standards such as COBIT, ISO:17799 or NIST 800-53, gives the organization a method of demonstrating controls design from multiple perspectives. Your system should be designed to provide user-definable reports classified by policies, standards or technologies and be able to present the information in different contexts.
Another key is to review and update content within the system consistently. An external source of content can be a considerable advantage for remaining current on compliance and control issues. Ownership of the content, along with clear processes for review and update, is equally critical. Publication of updated control documentation should be communicated to the appropriate persons across the organization and rolled into awareness and education efforts.
Measurement: The Final Step in Audit Readiness
Now you need to extend your infrastructure into measurement of compliance across the enterprise. Again, your plan to take the reins of the audit means that your measurement infrastructure needs to address all facets of compliance: people, processes and technologies. The key is to measure the company's actual state of compliance against your documented policies and controls - and, ideally, with the flexibility to present the data in the proper context for the audit.
· "People controls" measurement evaluates the success of communication, awareness and education programs and determines how well employees grasp the requirements of compliance activities.
· Process controls measurement evaluates the effectiveness of processes, or steps in a process, that manage risks. Process-related controls are generally validated through testing, documentation reviews, and process reviews.
· Technology controls measurement is enabled by, yes, technology. However, remember that these monitoring technologies are only part of the puzzle. Collecting and reporting compliance data in a proper context is where the real compliance value lies. Gathering large sets of configuration data will only go so far when articulating current compliance levels.
Verifying your controls by conducting an internal audit or supporting a cycle of self- assessment is a great place to start. Doing so encourages you to consistently review controls within the organization, promote awareness to controls owners, and build a state of vigilance that will be critical for preparation for an external audit, or for an audit of a partner who wants you to demonstrate compliance with one of its security standards. A state of compliance readiness also equips the organization to undergo the so-called "casual executive audit," - an impromptu query by senior management prompted by executive concerns. These queries can be provoked by everything from a news story to an internal event raising concerns on specific compliance requirements. The key to building this audit preparedness is enabling the internal assessment with an infrastructure that is not overly burdensome and fits into the operational processes.
Finally, there's the process of initiating the formal external audit itself. Now that you have pre-positioned your compliance staff to take the reins of the audit, imagine the auditor's amazement when you invite him in for a review of your audit program and audit preparedness. The ability to articulate your compliance program from design to implementation will hinge on your ability to easily show policy, demonstrate controls management, and give insight into the current state of the environment. Leaving the audit up to chance and "whatever the auditors can find" will only exacerbate any issues discovered by the auditors. The audit could then become a war of attrition, and the organization could appear disorganized or unreliable in compliance management.
Taking control of the audit can be accomplished with efforts in key areas - policy definition and communication, controls management, and proactive measurement. The old adage of having "your ducks in a row" does apply to the audit process. Heading off questions is the best way to disarm the situation and keep red flags in check. All things being equal, the compliance staff and the auditor have the same goals - ensuring the company's risks are properly managed. It isn't exactly "know your enemy" in this case, but thinking like the auditor can give you a sustainable advantage.