CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Tactics

Managing IT Security Compliance

By Tom Schmidt

Last year, the Security Compliance Council sponsored a survey to gauge the impact of compliance on IT security. More than 200 IT security and compliance professionals participated in the survey, including representatives from the oil and gas and utilities industries. Based on responses to the survey, five key findings stood out:

  • Three out of four organizations (75%) must comply with two or more regulations, and nearly half (43%) must comply with three or more regulations.
  • Organizations spend an average of 34% of their IT resources on activities devoted to security compliance for multiple regulations.
  • In response to the high costs and demands on IT resources, organizations are accelerating the use of automation to help demonstrate IT security compliance more cost-effectively.
  • Only a small fraction of organizations (5%) have achieved a comprehensive level of automation in their efforts to demonstrate IT security compliance.
  • Chief security officers appear to be ill-equipped to effectively manage the demands of demonstrating IT security compliance with regulations.

Likewise, a 2005 study by IDC, entitled "Priorities for Compliance," found that "more than 80 percent of the companies surveyed agree that compliance is not sustainable without an automated solution to manage the documentation and processes, including related tasks such as evaluating and running IT controls and event logs."

Together, the surveys underscore what more and more power and energy companies are coming to realize: namely, that IT compliance is an ongoing process, not a one-time event. Moreover, it requires automation to reduce costs and inefficiencies. This article looks at what power and energy companies can do to manage security practices to ensure compliance across the organization.

The cost of compliance
Industry observers have characterized the considerable IT resources devoted to demonstrating IT security compliance with regulatory requirements as a "hidden tax" on corporate profits. It's not hard to see why. The vast majority of companies surveyed by the Security Compliance Council employ mostly manual, labor-intensive procedures to complete their audits. That helps to explain why they are scrambling to automate audit and IT security procedures. After all, in today's corporate climate, the pressure is intense to improve efficiencies and enable the reallocation of IT resources to more productive tasks.

But the Security Compliance Council survey also identifies one of the most pressing challenges to automation:

"The most important strategic action companies can take is to correlate IT security controls against multiple regulatory requirements and leverage compensating controls to satisfy multiple audits."

Based on the survey findings, the Security Compliance Council developed several recommendations for meeting the demands of multiple regulatory mandates:

  • Inventory all compliance-related activities Chief security officers and IT managers must first list and categorize the total data privacy, data retention, local, state, national, industry, and financial reporting mandates and audits required. The total list and scope of many compliance projects may come as a surprise to senior managers.
  • Judiciously automate control activities This will help free up IT resources for reallocation and enable more frequent audits. The goal is to conduct more frequent audits more efficiently in order to reallocate IT resources to more important pursuits.
  • Increase the frequency of audits Increasing internal audit and security control measurements can help determine whether changes in business conditions, business procedures, IT processes, IT security controls, new mandates, or other factors are responsible for changes to the control environment.
  • Identify common controls across multiple regulations Make sure that controls are clearly identified, auditable, and tested as part of an ongoing internal audit plan. Map controls to the standards and common security frameworks used by your organization. Identify the most common controls, and deploy and maintain these controls to reduce workload effort, cost, and confusion. By implementing common IT security controls, it will be possible to consistently -- and with less time and effort -- document, audit, and maintain compliance for multiple mandates.
  • Re-examine the IT security function The IT security function is evolving into a risk management and controls measurement function. Firms that recognize this will understand that detailed technical knowledge and skill are useful in day-to-day operations, but may be the wrong skills to apply in response to managing internal audits and overall IT security. Organizations will need to define roles that incorporate the appropriate balance of executive tasks, monitoring actual conditions against defined business risks, and implementing and maintaining IT security controls.

Conclusion
Adhering to strict compliance issues is no small task when accommodating constant demands for instant access to corporate data. By accelerating the use of automation to demonstrate compliance with multiple regulations, power and energy companies are in a better position to build an end-to-end program for creating, managing, and reporting compliance, while ensuring that critical data is secure and available.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"More than 80 percent of the companies surveyed agree that compliance is not sustainable without an automated solution to manage the documentation and processes, including related tasks such as evaluating and running IT controls and event logs."

--"Priorities for Compliance," 2005 IDC study
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


CIO Interview: CIO of Port of Portland, Michelle Gaines
Playtime: 7 min 59 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service