Editor’s note: Terri Grauer is a consultant and writer specializing in the application of technologies to business challenges. Sanity Check is a regular feature in Local Tech Wire.
________________________________________________________________________________________Recently I’ve been working with several organizations facing the challenges of compliance. With most of the deadlines already passed for Sarbanes-Oxley and HIPPA compliance, organizations are still struggling with how to prove compliance.

One way is to implement an automated management system which can dramatically lower the cost of analysis, implementation, and auditing.

Whether an enterprise must comply with government regulations (like HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, or Basel II) or is adopting new standards (like COBIT or ISO17799), an automated end-to-end, centralized monitoring, management and reporting system delivers immediate prove on many compliance issues. An automated system collects and integrates data from virtually any platform or application, and provides the flexibility to meet future changes to regulations and standards.

Building a ‘Frameowrk’

Most of the corporations I am involved with have made the decision to replace ‘niche’ and point solutions with a comprehensive, automated, and integrated, “framework’ type management system.Two key features of any integrated and automated management system are crucial to compliance efforts: centralization and automation. For compliance purposes, controls that are standardized, centrally administered, and repeatable encompass “best practices”.

Any investment in an automated management system should include technology to centrally monitor and manage your existing IT investments through standardized, repeatable processes. The architecture needs to integrate all this collected data into a centralized, unified whole database structure, providing end-to-end transparency across the entire infrastructure and a unified set of applications that are available via a single, secure management portal.

In addition automated processes provide greater efficiencies and improved controls by minimizing vulnerabilities to fraud, user error, and malicious use greatly aiding compliance efforts.

Risk Management

In order to meet minimum compliance requirements other key aspects of an automated solution should include risk management analysis and reporting on security and access controls; data integrity management; integrated incident management control via ticketing and response mechanisms; audit logs and reporting of asset management, vendor management and segregation of duties within an organization.

For IT, the goal of Risk Management is to minimize data loss, user errors, and process errors. An automated management system decreases risk using embedded features that optimize availability and up-time, increase hardware and software performance, and automatically notify users of irregularities. And if the solution has an integrated ticketing system for incident management, the ticketing and audit logs will provide proof of corrective action and the immediate response of the organization to any perceived threat.

Integrated asset management records are crucial to successful compliance efforts. The integration of records allows an enterprise to address all aspects of asset management, including reconciliation of financials, software licensing, disaster recovery, and change management.

After so many recent examples of “misstated financials’ due to internal (manual) reporting errors, any evaluation of a management solution needs to include integrated asset management as part of the core technology.


Alternative to Orange Jumpsuit

Another benefit of an integrated solution is the possible ‘reduction’ of insurance cost to the organization, due to ‘real-time’ monitoring, reporting and incident response, based upon asset management. If an organization can prove ‘proactive immediate response and resolution’ to threats via audit logs and incident ticketing then their insurance premiums should be lowered based upon this proof.

Much like getting a break on homeowners insurance if you have an alarm, a smoke detector and fire extinguisher on the property; all proven to reduce risks and all show proactive measures.If you still want to look at a point solution compliance tool, then look for the ability to integrate with existing systems, infrastructure and applications.

If the compliance solution does not ‘integrate’ seamlessly in the environment, then you’re probably not going to meet minimum regulatory requirements, and you’re still going to do a lot of the work manually. It might make better financial sense to look for a fully integrated, automated management solution rather than a point product; after all, orange jumpsuits are really not flattering on anyone, just ask Martha Stewart.
________________________________________________________________________________________

Terri Grauer is a consultant and writer specializing in the application of technologies to business challenges. She can be reached via email at terri@nthet.net