This is the fourth of a four-part series on compliance.
Successful audits require that IT managers and compliance auditors speak the same language. Clearly written policies are one way to bridge the gap.
Joe Fleming, IT manager at Blue Cross Blue Shield in Helena, Mont., realized just how important written policies are after his first mock-audit when his organization desperately needed an electronic signature-based system to automate the process.
The never-ending paper trail created by compliance checks and balances had his IT staff running from department to department for the signatures of those in charge of delegating who gets access to what systems at Blue Cross Blue Shield in Helena, Mont.
"After the pseudo-audit, it wasn't any major changes we had to make, it was a lot of user ID changes caused by regular turn over in the company," Fleming said. "We had to make sure that the user IDs that were set up matched what the paper work said and that no one was taking any short cuts filling out the paperwork."
Fleming estimates that his staff spent hundreds of hours trying to get the auditing staff to clarify what exactly they were looking for.
Disconnect more common in regulatory compliance
Disconnects such as this are becoming fairly commonplace as more regulatory compliance initiatives move beyond high-level strategic discussions and perimeter security measures to the tactical IT trenches.
Take, for example, the case of an auditor asking a large company to encrypt a back-end database that contained customer information. Only three people had access to the back end, but the database had a Web front-end that gave more than 2,000 employees access to the data.
"The auditor made the wrong recommendation," said Paul Proctor, an analyst with Stamford, Conn.-based research group Gartner. "They wanted the company to spend $2 million protecting the back-end and overlooked the dangers on the front-end. "This is why IT has to get involved in the conversation to talk about what controls are really needed and to prevent stupid spending."
Reporting is another pitfall of unnecessary audit requests.
"With the mainframe [the auditors] wanted to know who had access to which data sets, which is data that can be pulled up in a lot of different ways," Fleming said. "We wanted them to give us the specific commands they wanted us to run, otherwise the data sets they were asking for would generate hundreds and hundreds of pages."
Steve Schlarman, chief compliance strategist at compliance management software maker Brabeion Software in McLean, Va., and former auditor with PricewaterhouseCoopers' security and auditing practice said he has seen discussion between auditors and IT staffs get lost in translation on many occasions.
Auditor speaks different language
"The language is just different," Schlarman said. "An auditor will ask to see a company's user registration policy and the IT administrator will say 'Huh?'. When the auditor should be asking 'What happens when you hire a new person', to determine how an organization is controlling user access. If IT thinks in terms of process, policy and control diagrams they will have a little more insight into the mind of an auditor."
And he's seen communication backfires coming down from the corporate level in the form of bible like corporate governance books on compliance.
"A Windows admin is going to look at that big book on proper controls and procedures and either ask a lot of questions, or interpret it the way he sees it," Schlarman said. "They need a set of standard builds, configurations specific to that box, or IT will spend a lot of time trying to interpret that high-level document and interpretation is where you get into trouble."
That is not to say that all auditors are less than tech-savvy. It's becoming juts the opposite with more compliance auditors taking IT classes at places like the SANS Institute and The Information System Audit and Control Association.
New breed of IT-smart auditors
"It's not just the auditors of old that you think of, the guy that knows how to look at the balance sheet and cash flow, but ones that know about IT and are being very specific as to what they want IT professionals to do, particularly with regulations like [the Payment Card Industry data security standard]," said Alex Bakman, founder of compliance reporting software vendor Ecora in Portsmouth, N.H.
Over at the Academic Enterprise Systems division of the University of Kansas, David Barnhill, senior system specialist, is more worried about how to word email auditing policies, versus having to deal with an actual auditor.
Eventually the university is going to get hit with an audit, whether it be through healthcare regulatory standard HIPAA as it relates to its toxicology and pharmacology research departments, or privacy laws related to students IDs, grades and health records.
The problem isn't so much what technology to put in place, but what and who should determine if an email violates a given regulation and what to do with it if it does, Barnhill said.
"Technology isn't the issue, we have a Sophos system that we can turn on tomorrow that can flag outbound emails just as easily as it does with inbound emails, Barnhill said. "What we don't have is policies. Who decides when something is a violation? If it's seen as a violation do we bounce it back to the user, or a person on staff who makes a final decision? Do we counsel the user? Should we have a program to teach people what not to send in an email?"
Barnhill also fears the backlash from university staff and students if a system is put in place that monitors the content of their emails. "I think it could be a huge political problem if we're looking at their emails, even if it's a less intrusive automated process," he said.