Most of the directory owners to which I speak, have for a number of years, been living with legal or regulatory compliance. Most have followed a predictable pattern of first sweating out their initial audit then later rationalizing better ways to implement whatever compliance policy to which they must adhere for sustained compliance. First Audits are often completed with brute force in a forest-killing documentation exercise. If that experience was painful enough (and it usually is) they progress to looking at the underlying issue driving the compliance requirement to which they find themselves victim. Ultimately this rationalization leads them to conclude that they must reach out to the enterprise and build compliance in business processes at which point they begin treating the root problem rather than its compliance audit symptoms.
You would think this would have been obvious from the start, but after reading the actual compliance equipments themselves it is easy to see why this causes so many people trouble. For example, the Sarbanes-Oxley Act of 2002 (SOX) was created to protect shareholders of public companies from financial miss-doings that could impact their investment. I will spare you the joy of reading section 404 of the SOX requirements which deals with the IT aspect of compliance and simply tell you, you would be underwhelmed by the lack of detail and direction it contains.
What is clearly spelled out in SOX is that the owner of an application or data should be responsible for controlling access to that owner’s resource and further there needs to be a set of controls to make sure this happens. The reasoning is simple, the application or data owner is in the best position to know and understand the business justifications for granting access to their resource. SOX doesn’t recommend what type of controls are needed only that they must exist.
The lack of detail around IT controls – leaves everything open to interpretation as to what is required on the part of IT to comply with the regulation. Because experience and competence varies by auditor and IT team, recommendations can be anything from a paper-based procedures to implementing a new compliance layer of audit software or worse. The directory owners I see who are able to achieve sustained compliance implement software based process controls. These software based controls should always automate and enforce governance be self-document and should support real-world demonstration that the controls are in place and effective. Once these controls are in place audit preparation time drops to hours rather than the weeks or months a first audit typically would require.
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.