By: Rich Ptak, Managing Partner, Ptak, Noel & Associates LLC
Despite its significant costs and a mixed record of success, the compliance-related load imposed on today’s enterprise has yet to decrease. Current trends driven by government legislative efforts, and adopted at the executive level, favor the continuing proliferation of monitoring and reporting in operations, decision-making and service delivery. Even if existing legislation is repealed, it is not certain that compliance edicts will cease.
The response and responsibility for monitoring, recording, analyzing and reporting on compliance efforts will continue to heavily impact IT operations. Data is where it all starts; IT remains the main repository of enterprise information and data including the responsibility for maintaining and operating the network links between all parts of the organization. Therefore, they will experience the bulk of the operational load.
Enterprise compliance activities break down into three steps:
- Assessment – the effort undertaken by the enterprise to determine the operational differences between current operational procedures and those required to comply with legislated mandates. This can include defining activities to eliminate the gap.
- Implementation – the effort to design the required solution, acquire infrastructure, processes and products to implement the solution, and, finally, the actual implementation effort.
- Review, analysis, and reporting – this is the cycle of activities to get actionable information from the data collected, the reporting on the day-to-day state of compliance, warning when noncompliance threatens, and progress towards achieving compliance.
The first two tasks have benefited from the interest and efforts of a range of aggressive solution providers. The third continues to get an increasing amount of attention as experience demonstrates its criticality to assuring compliance in an evolving climate of control. The enterprise must be able to demonstrate that it has policies and procedures in place, but also that it monitors to assure these are followed (and initiating corrective action when they are not). Enterprise executives also become liable if abuses or weaknesses creep in to their systems as things change over time as the result of growth (organic, acquisition, etc.) or consolidation.
For all but the smallest enterprise, the task of monitoring activities, collecting data, analyzing, and reporting on the data is far too complex and time-consuming for manual completion. Complicating matters is the tendency for mandates to include demands for ‘timely’ reporting and ‘prompt’ corrective action. With an environment with little tolerance for slow responses, few enterprises can afford to run the risk of being perceived as being non-compliant with the attendant legal and financial penalties.
Today’s enterprise operates in an environment of growing complexity, escalating competition and, in the case of compliance regulations, increasing ambiguity. Ambiguity means that different groups can, and will interpret performance and operational actions in differing ways. This increases the risk of non-compliance. It also means that the parameters and requirements of reporting can and will change. IT must be able to quickly and reliably adapt its processes to comply with these changes.
Finally, in addition to externally, mandated procedures are those that are required by the enterprise. Any solution must be able to monitor and prove compliance with these custom procedures. The solution is to automate the effort to track, manage, and report on the compliance process.
The primary responsibility for implementing the policies and reporting about these efforts falls on enterprise IT. IT must deal with these as well as expanded demands for service with staffs stretched to the limit with the technical and operational demands of increasingly complex day-to-day activities. It’s not possible to meet compliance monitoring and reporting with manual efforts. Such approaches are too slow, inconsistent in application, and unable to stay current with the pace of change in today’s dynamic enterprise.
Based on hard won experience in automating business processes, enterprises have embraced policy-driven automation to relieve the burden and risk associated with manual processes. This delivers flexibility, adaptability, and scalability with a timeframe and ease of implementation that meets compliance and operational needs. Hence, the popularity of SIEM and log management solutions and the popularity of integrated solutions that allow seamless growth and application across the enterprise environment.
It is important to know the specific requirements and results needed by the enterprise to avoid selecting a SIEM solution that is too complicated to use or feature-weak to meet enterprise needs. For most, a modular, automated, integrated, policy-driven and process-oriented solution will prove to be the most effective and flexible choice.