make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

IT Compliance Management: A Holistic Approach

04/08/2015  |  By: Thomas Lewis, CISSP, CISA, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Agencies and government contractors are required by law and industry regulations to comply with what seems to be an endless list of IT compliance requirements: FISMA, HIPAA, HITECH, PCI, OMB, IRS 1075, GLB, state privacy laws, SOX, EFTA, Red Flags, COPPA, NERC—the list goes on. No doubt, it feels overwhelming at times. And as cyber thieves become smarter and an increasing number of data records are stolen, IT compliance management will most likely become more complex and burdensome. Not painting a pretty picture right? Well, there is a better way to tackle this alphabet soup of resource-consuming regulation. We recommend taking the “thirty-thousand foot view” and considering your organization as a whole—identify commonalities across all of your reporting requirements and coordinate efforts, thereby reducing redundancy.  

Develop a crosswalk that aligns all of your organization’s compliance requirements. This will allow you to identify the common enterprise controls that can be tested once and used many times to satisfy all reporting requirements. Then, on a case-by-case basis, you can tackle the outliers and ‘one offs’ that associate with a limited number of compliance requirements or specific lines of business. This holistic approach to compliance management will result in fewer hours spent responding to audit requests and should significantly reduce audit findings.

A fragmented approach to compliance management leads to “audit fatigue,” and we all know that when we get tired we tend to get sloppy. Unfortunately, sloppy leads to audit findings and compliance gaps. One of the biggest obstacles to a coordinated ‘test once report many’ strategy is time. And indeed, it takes a significant upfront effort to evaluate each compliance requirement and to coordinate the reporting effort. Additionally, it requires an individual (or team) that has a high degree of familiarity with multiple compliance requirements. But it’s worth it. Not only will you save money in the long run by increasing the productivity of your staff and reducing the disruptive nature of audits, you might even find that you can reduce the direct expenses associated with compliance. Imagine your cost-savings if you could let your IT team focus more on innovation and development instead of spending so much time responding to audits.

Standardizing Your System and Processes

When an organization institutes a standardized system configuration and supporting processes, fewer resources are able to manage a larger number of security controls. For example, if the entire organization adopts a unified configuration for the Windows server(s), it’s easier to disseminate security fixes and to monitor individual workstations for anomalies. Compliance also becomes significantly less taxing when you deploy a standardized array of hardware and software platforms. But it’s not just your platforms you’ll want to consider. If each business area is implementing and monitoring controls and managing artifacts in its own way, FISMA compliance can be unduly burdensome. By standardizing your processes, you will reduce redundancies, increase the integrity of your reporting, and make it easier to fix what’s broken.

For example, let’s say you’ve put a standardized change management policy in place that includes a ticketing system, request & approval process and implementation. Once you’ve determined that each component is solid, you can test single samples to find out whether or not the process is working across multiple environments. By standardizing change and patch management, assigning a uniform handling of artifacts, codifying monitoring procedures, and adopting a centralized content management system (CMS) for reporting, you will more easily be able to submit audit responses in a timely and thorough manner.

At first glance, the overhaul required to standardize technology platforms and processes might seem out of reach from a cost perspective. It’s tempting to make do with what you have and adopt singular fixes that are siloed around a compliance requirement or a particular security issue. But the cost of applying ‘Band-Aids’ adds up. Ultimately, your security solution becomes unwieldy, and your tools are no longer able to do what you need them to do. (Sometimes, they never did what you needed them to, and you were simply sold a bill of goods.) This ad hoc, reactive method of data security management may have lower direct costs, but the indirect costs of not having a standardized, organization-wide system can range from slow leaks to major hemorrhaging.

It’s time to think differently about this. Total cost of ownership (TCO) is not typically reflected in the upfront pricing of what looks to be a cost-prohibitive solution. But do some research, and you might find otherwise. Toss around some ‘what if’ scenarios. Dig down into each application and business unit to determine what would happen if you don’t invest in a data security strategy that encompasses a broader view. Find out how much more effective it is to make changes and monitor a standardized system. Check for redundancies that could be eliminated by a more holistic approach. You might quickly find that the TCO of standardizing your IT infrastructure and your procedures is much lower than what you are currently spending to put out fires. By committing to a holistic approach, your entire data security compliance program will run more smoothly. Should someone be out sick (or leave the company), another person can quickly fill in. IT platforms and tools are more uniformly updated and reconfigured. Process corrections can be made more easily. And you will definitely recognize economies of scale in the audit process. Not only will you be prepared for audit on shorter notice, more significantly, your controls will do a better job of keeping your data safe.

Find out more about FISMA by downloading a free copy of our guide below, FISMA Compliance: Practical Strategies. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. FISMA_Download

Posted in: FISMA
IT Compliance Management: A Holistic Approach