Whether IT shops like it or not, regulatory compliance is a way of life. The only solace IT managers have is that...
technology is available to help ease at least part of the burden.
"Compliance is very visible in everything we do," said Mark Granzow, vice president of global technology, equity options group, at TD Options LLC in Chicago. "It affects how we deal with record retention, it's changing our policies," said Granzow, adding that TD Options has its own internal compliance people.
"We have to make sure that everyone knows what our policies are," he said. His company has already applied ITIL best practices for change management; and for record retention, the company is using Iron Mountain Inc.'s journaling and email archiving technology.
Requests are also being made to upgrade its backup systems to respond quicker to requests for archived e-documents in the case of an audit. "We need almost instantaneous access to our archive, more capacity [and] indexing capabilities," Granzow said.
Above all, Granzow wants a product that can manage the whole process of compliance, a management system that does not exist at this point, he said. "A lot of vendors are saying they can meet all your compliance needs, but I haven't seen it," Granzow said. "We need one that stays on top of everything."
Some of the more urgent needs include better centralized storage and an easier way to manage policies for all the networks, file servers and business documents, he said.
Compliance touches many aspects of an organization
Compliance experts will be the first to say that many point products exist because, by its very nature, compliance can touch so many aspects of an organization -- legal, security, and records retention, among others. At the IT level, compliance involves asset management, identity access, storage, server and database monitoring and especially change management and configuration management.
One technology that is showing potential for bringing the policy and change process pieces together is configuration management databases. CMDBs hold the promise of giving IT managers a unified way to view and manage any changes made to systems, in real time.
Microsoft for one is expected to have a CMDB built into its upcoming help desk product called Service Manager, part of the vendor's System Center line of management products. The company is also working with third parties such as Brabeion Software Corp. in McLean, Va., to use Microsoft's Desired Configuration Manager in Systems Management Server as a way to manage and collect system changes as they relate to IT compliance, said Steven Schlarman, chief compliance strategist for Brabeion.
"Vendors are building in basic server and client configuration best practices that meet compliance requirements. The good news is that many of the regulations look for the same thing," Schlarman said, adding that they require some sort of commitment to manage changes. "You have an environment of checks and balances in areas such as systems access, and many vendors are building templates into their products to address this."
Hot button for Microsoft System Center
Kirill Tatarinov, corporate vice president of Microsoft's enterprise management division, said at the Microsoft Management Summit in March that compliance will be a number-one priority for the System Center group in 2007.
"We will have a set of products to help you bring your infrastructure and environment into compliance," Tatarinov said. "We will help you understand [what assets] you have and make sure they map to internal and external compliance."
Microsoft will embed one such effort in Service Manager. It will have the ability to notify an IT manager when a configuration on a desktop or server drifts out of compliance and offer click through capabilities to bring that machine back into compliance," Tatarinov said.
As for a unified view of controls, major systems management players, such as BMC Software Inc., CA, Hewlett-Packard Co., IBM and Microsoft, are all working toward offering a single CMDB to store and manage relationships among assets, change management, performance and availability information.
"CMDBs exist in distributed environments to manage IT operations, and you can see how it can be applied to IT compliance on the execution side," said Vivian Tero, an analyst at IDC, based in Framingham, Mass.
The problem is the pieces that make up IT compliance exist in different applications. "A challenge is that in a lot of companies, policies reside on spreadsheets, just as most of the reporting still resides on spreadsheets," Tero said. "This is very time consuming, with some companies being audited two to three times a quarter and having to produce those reports every time."
Which is where automation enters the picture and CMDBs can play a role.
Auditors want proof of data protection
"Automation is key with compliance, but you need to keep in mind that most large organizations have different versions of systems, and the configuration policies for each system is different," Tero said. "The challenge for IT is figuring out how to first unify this so that it can then be automated. And before any of that, policies need to be defined."
For the most part, auditors for specific regulations do not and should not give technology recommendations, say industry experts and IT managers. But auditors do offer guidance as to what an organization is expected to protect and prove in the form of reports.
For example, auditors may ask IT shops to run database reports to prove they can track changes made to critical databases containing customer information, said Phil Neray, vice president of marketing for database security and monitoring vendor Guardium Inc. in Waltham, Mass.
"The company panics and tells IT to turn on the native database auditing utilities, which reduces systems performance, impacts the stability and produces so many reports that it is impossible for the IT staff to go through them all," Neray said.
After the audit, it is not uncommon for companies to throw technology at an issue. Several IT managers at a recent TechTarget email archiving seminar in Chicago said they had installed an email archiving product, or bought one after an audit or possible litigation, and it remained shelved. The projects stalled because all the different departments involved could not decide what the system should flag and save.
One large hospital in the Midwest, for example, has implemented Quest Software Inc.'s email archiving software only to have its use halted by the hospital's legal department, which often has a delete-versus-save mentality, said IT managers at the event.
"The company wants the system, but what's happening -- and I think you'll see this a lot at companies -- is that legal keeps coming back and saying 'We're still formulating our retention policy,'" said an IT manager at the hospital who asked not to be named. "Legal needs to catch up with technology."
Technology plays only one role in compliance
In the end, the lesson is that technology plays only one role in compliance. Before technology can be implemented, there should be a department-wide consensus on policies, said Khalid Kark, an analyst with Forrester Research Inc. in Cambridge, Mass.
A company's product choice should ultimately be guided by these policies, he said. "We know it's not true that right now one vendor can solve all your compliance problems," Kark said. "With compliance, technology can help with automation, but you need equal processes, that keep people in mind, to get to that point."
As for choosing compliance products now, Kark said many companies are implementing security information management and enterprise security management products.
"The thing to keep in mind is that many vendors map to specific regulations, which does not work," Kark said. "And if you're buying point solutions, they need to be able to integrate with other products because this is a corporate-wide effort."