As the chief security officer of the oldest stock exchange in the United States, compliance audits are old hat for Allan Pomerantz.
Philadelphia Stock Exchange, like all others, has been under the watchful eye of the Securities and Exchange Commission long before Enron Corp. caused sweeping changes in how executives account for finances in the form of Sarbanes-Oxley regulations.
In his five years at the exchange, Pomerantz has learned that a successful audit comes down to one word: documentation.
"One thing for sure that an auditor is going to look at is your written policies and procedures for IT, and they will audit you against your own written policies and procedures," Pomerantz said.
Whether they are called security polices, compliance controls, or risk management procedures, these are the areas where most companies trip up before and during an audit.
At the level of IT administrator, snafus often take the shape of change management -- not necessarily with the IT systems in place but with the processes, especially with how they are documented and managed.
The good news is that if IT shops take the time to document their system change management controls and policies, they can check off a major requirement for a majority of regulations, including Sarbanes-Oxley, Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act, and Payment Card Industry compliance.
Emphasis on policies and controls is also why there is so much buzz around ITIL and COBIT, which offer a framework of best practice recommendations in such areas as change management, incident management and the help desk.
Tech-savvy auditors asking for more
Auditors with greater IT knowledge are digging in and asking for specific reports on any changes made to the server or network devices that took place in a given timeframe, according to Alex Bakman, founder of change and compliance reporting software maker Ecora Software Corp. in Portsmouth, N.H. They are also asking for proof that IT shops track what users were added when, who left the company, whether user IDs were revoked and which IT administrators have access to critical systems, he said.
"When asked if they have proof of such changes, the answer from IT is often 'No, not really,'" Bakman said. "Auditors want to see documented proof," he said.
Part of the issue with change management is changing the mindset of the IT staff, said Joseph Fleming, IT manager with Blue Cross Blue Shield in Helena, Mont. After his company started implementing change control processes about a year ago and jumped on the ITIL bandwagon, his staff started to bombard him with questions and complaints.
"I have developers saying, 'Why do we have to do this,'" said Fleming, whose company uses several Altiris systems management products for capturing change instances and producing reports. "You have to sit down with them and explain that this is what we need to do to stay in business and that, in the end, having good processes does have its payoffs for IT."
Even with reassurances that change is necessary, buy-in from IT was a battle, said Fleming. "They don't like the feeling that their work is being watched, that you can see what they did and who caused a flaw in the system."
Auditors have not only asked Bill Grigonis, IT manager of the American Bible Society in New York, to show them how his department physically makes a change to a system, but they are also asking the IT staff to produce change management reports.
A shove from above for IT compliance
The American Bible Society is a prime example of how regulatory compliance can have an indirect impact on a company. Although the $1 billion nonprofit isn't required by law to meet every guideline of a given regulation, many of their corporate partners are. The nonprofit also needs to comply with privacy laws connected to donor information.
Even with these reasons to comply, it came down to a nudge from above. "Many of the people who sit on our board of directors are from Wall Street firms or bigger public companies," Grigonis said. "They have the compliance mindset and believe that we should also be compliant."
One thing the auditors did recommend was automation. The nonprofit cut down on its paper-intensive auditing process by using Ecora's software to automate configuration, change and patch management reports. On the storage side, the company uses EMC's data archiving software.
"Automation is key -- it eliminated so much time," Grigonis said. "We used to dread audit time. We'd have to sort through all these documents, and it was very stressful. But now we just run some programs," he said.