IT compliance. It's a phrase that resonates throughout every enterprise today, from the data center to the boardroom. And it's not hard to see why. In just the last few years, IT compliance has emerged as an ongoing, critical business function that has a profound effect on an organization's growth and success. IT compliance may be interpreted in numerous ways, but the purpose of an increasing number of recent regulations, industry standards, and best practices frameworks is to achieve a common result: to preserve the security, the availability, and, ultimately, the integrity of business information.
Managing compliance amid multiple regulations As any IT professional knows, enterprises today are under increasing regulatory pressure -- the governance requirements of Sarbanes-Oxley, the privacy requirements of HIPAA, the homeland defense measures of The USA Patriot Act, the European Data Protection Act, and the Basel II Accord, to name just a few.
Moreover, it's often the case that an organization is subject to more than one regulation. In fact, in a recent survey conducted by the IT Policy Compliance Group, 70 percent of the companies surveyed reported being subject to multiple regulatory compliance mandates.
With so many organizations struggling to meet audits that must satisfy multiple mandates, it's no surprise that vast amounts of IT resources are being spent to demonstrate IT compliance. The IT Policy Compliance Group estimated recently that, on average, 34 percent of IT resources are being spent on meeting multiple regulatory compliance demands.
Why such a high percentage? Because in too many cases manual or ad hoc processes are woven through the entire IT compliance process. And manual processes are labor-intensive, error-prone, and not easily repeatable.
In addition, compliance initiatives managed by different groups in separate departments can mean duplicative efforts to test and measure the same IT control function across the organization. The result, in all these cases, is a waste of resources.
The email and messaging challenge Complicating every organization's compliance effort even further is the need to properly manage email and instant messaging data. The staggering growth of corporate email and IM volumes in recent years only underscores the challenge. According to a survey conducted earlier this year by Osterman Research, the typical user in a large organization sends or receives 85 emails each day, or more than 22,000 emails every year.
But it's not just that the volume of email and IM data is exploding. These records are also now commonly subpoenaed and presented as evidence in court. As a result, email, files, and attachments must be easily accessible to authorized legal personnel to search and review for legal discovery. Failure to do so can be costly, as financial services firm Morgan Stanley discovered last year.
In the course of a lawsuit brought by billionaire financier Ronald Perelman, Morgan Stanley couldn't reliably produce emails for the court. That didn't sit well with the judge in the case, who ruled that the company deliberately violated her orders. In the end, the jury awarded Perelman $604.3 million in compensatory damages and $850 million in punitive damages.
The real challenge, then, comes from properly managing this information so that important documents and data are retained in accordance with an appropriate time frame and are readily accessible to those who need to review them. When information critical to the business or legal discovery is not securely stored and readily available, the risk of non-compliance increases.
Endpoint security At the same time, the demands for critical information to be constantly available present their own challenges. Increasingly, the typical organization's information is shared with partners, contractors, temporary employees, and workers in far-flung locations. For today's computing environments, therefore, endpoint security must be a required component of an overall security strategy. Endpoint security solutions enable organizations to evaluate, protect, and remediate managed and unmanaged systems as they connect to corporate assets. Endpoint protection offers a perimeter of defense to ensure that all devices are current with security software before entering the corporate network. This "persistent" enforcement approach enables IT to address the crucial task of protecting the enterprise from exposure of intellectual property, costly network downtime, and possible regulatory fines that can undermine a company's brand integrity.
Sustained compliance In response to these IT compliance challenges, organizations are increasingly looking at ways to minimize fragmented initiatives, automate procedures and IT security controls, and apply best practices to reduce risk.
• Select a framework to comply with multiple regulations To develop a sustainable compliance posture, organizations are recognizing the value of implementing an overall control framework such as COSO, COBIT, or ISO 17799. Adoption of such a framework simplifies communication, validates the controls with auditors and regulators, and reduces the effort required (and, therefore, the cost to the organization).
• Automate to reduce costs In its recent survey, the IT Policy Compliance Group found that two-thirds of firms are attempting to automate audit procedures and IT security controls to help reduce labor costs and allow IT to focus on more productive endeavors. (The same survey found that one-quarter of firms continue to rely on manual methods.)
• Apply best practices Research conducted by the IT Policy Compliance Group has helped to identify best practices in IT compliance. The following actions have been shown to improve results for IT security and regulatory compliance:
1. Conduct internal regulatory and IT security audits at least monthly.
2. Spend at least 25 percent of IT staff time on regulatory compliance.
3. Allocate more than 10 percent of the IT budget to IT security.
4. Establish clear objectives and measure results at regular intervals.
5. Automate compliance and IT security controls and procedures with IT technology tools.
Conclusion Establishing and sustaining IT compliance is a journey, not a destination. Today's enterprises need to evolve their compliance efforts from ad hoc projects to cost-effective and efficient processes that can be applied across various compliance initiatives involving the security and availability of information.
James Hurley Managing Director Symantec James Hurley is the managing director of the IT Policy Compliance Group for Symantec, www.itpolicycompliance.com.
Hurley previously served as the vice president of the risk, security, and compliance practice at the Aberdeen Group.