Seraphim Vector - Fotolia


Assemble tools to address IT compliance standards up the stack

The right set of IT compliance tools helps IT operations admins keep pace with rapidly evolving -- and increasing -- security regulations.

Enterprises need diverse IT compliance standards and tools in place to ensure that information is accessible, secure and auditable.

IT operations staff face a growing tangle of compliance regulations, including:

  • Dodd-Frank Wall Street Reform and Consumer Protection Act;
  • Sarbanes-Oxley Act;
  • Health Insurance Portability and Accountability Act (HIPAA);
  • Payment Card Industry Data Security Standard;
  • Consolidated Audit Trail; and
  • International Standards Organization 27001.

When management asks whether the company server is HIPAA-compliant, they expect a simple yes or no from IT operations. The first step toward meeting IT compliance standards is to understand the multifaceted complexity involved and then put a series of processes and tools in place to safeguard corporate data.

Compliance with regulations revolves around risk management. If companies do not protect sensitive information, they risk fines, intrusions that steal data, lost business and, in a worst-case scenario, suspension of business operations. Consequently, compliance regulations outline steps that firms must take to protect information.

IT compliance standards are rarely seen in black and white; instead, they appear in various shades of gray.

The risk management process is complex and touches upon a variety of business units, such as operations, legal and accounting, according to John A. Wheeler, research director at Gartner. Regulations broadly outline required best practices but do not tell organizations explicitly what business processes or tools to put in place. Consequently, IT compliance standards are rarely seen in black and white; instead, they appear in various shades of gray.

IT operations must be concerned with three broad areas: an accurate accounting of system infrastructure, security checks and audit reporting. IT compliance tools cover these areas in various ways.

Audit IT assets first

The first step to meet IT compliance standards is to get a handle on what systems and applications are in place. Increased inventory volatility from the uptake of public cloud services, as well as internal changes resulting from mergers and acquisitions, further exacerbate the task.

Public cloud, which Gartner forecasts will grow at a rate of 18% to reach $246.8 billion in 2017, has made it easier for department managers to purchase system resources without the IT department's knowledge or approval.

Cloud services market value
Figure 1. Gartner forecasts the public cloud services market, comprising business process services; platform, infrastructure and software as a service sectors; management and security services; and the largest sector: advertising.

Another IT asset inventory disruptor comes from mergers and acquisitions. Each year, U.S. businesses spend trillions of dollars to buy competitors, and associated IT systems often are a key element in such transactions. In fact, the desire to acquire another firm's technology is the No. 1 reason (27%) for a takeover, according to a KPMG survey. Once a corporation purchases another company, IT teams must quickly understand what applications, computers and data exist.

KPMG acquisition data
Figure 2. A 2017 KPMG survey found that companies buy competitors primarily to gain access to relevant technologies, expand their products and respond to change.

System audit tools traverse the enterprise network, ping end devices and seek out rogue systems. Laggard patching is an ongoing problem for operations staff, and hackers often probe systems looking for such vulnerabilities. VMware vRealize Configuration Manager authenticates company server and VM configurations and ensures that the software is current. Other IT audit tools are available from established system management vendors, including BMC Software, CA Technologies, IBM and Microsoft.

Security and compliance work hand in hand. The threat landscape is more complex due to distributed applications being broken down into components, an increased variety of end points and dispersed data centers.

"An increase in the volume and complexity of cybersecurity breaches and the potential damage that those events have on both business operations and brand reputation [are] driving greater demand for IT and security and risk management solutions," said Angela Gelnaw, security products and solutions analyst at IDC.

Consequently, businesses take an expensive, multi-tiered approach to secure information. IDC expects enterprise security spending will increase from $73.7 billion in 2016 to $101.6 billion in 2020. The compound annual growth rate of 8.3% is more than twice the rate of overall IT spending that IDC predicts during the five-year forecast period.

Enterprise security tool spending
Figure 3. Security-related services eat up the largest chunk of enterprise security spending, close to half of all security spending worldwide. Enterprises pay out the most for managed security services.

Security throughout the layers

Security starts at the network layer with virtual LANs (VLANs), which essentially create small quarantined zones -- sets of machines that cannot speak to machines in other sets. Set up VLANs so that the devices with the least-sensitive information have the fewest security checks, and those with the most confidential data have more. Network segregation typically requires little capital output and provides a basic level of security, but more comprehensive work is in store for IT compliance standards to meet most industry regulations.

In traditional, monolithic on-premises application hosting, the IT department can install a firewall at the network perimeter. Web browsers, mobile systems and cloud platforms open new potential entry points for attackers. Consequently, enterprises deploy security suites that comprise both application-level firewalls -- which are simple to install and maintain -- and the often more costly and difficult end-to-end encryption.

Check Point Software Technologies, Fortinet, IBM, Sophos, Symantec and Trend Micro sell security suites for IT compliance management. Trend Micro's Smart Protection Network, for example, includes a firewall, intrusion prevention software, patch management, system auditing and application-level protection.

Put it in writing

Reporting is the final piece of the IT compliance standards puzzle. Regulations typically require audit reports that outline which checks are in place, how often they are tested and what steps have been taken to close any potential holes. For instance, the American Institute of Certified Public Accountants relies on the Statements on Standards for Attestation Engagements No. 18 report to ensure compliance with Sarbanes-Oxley regulations.

Applications that generate these reports often fall into the governance, risk and compliance (GRC) bucket. TABB Group estimates that the global compliance market reached $2.592 billion in 2015 and grew at a pace of about 7.5% to 8% year over year in 2016.

Leading providers of GRC tools include AxiomSL, Bloomberg Vault, IBM, Nasdaq BWise, NICE Actimize, RSA Security, SAS Institute and SunGard. The AxiomSL platform, as one example, produces reports that meet the GRC requirements of Basel III capital and liquidity; Fair, Accurate Credit Transactions Act of 2003; Dodd-Frank Act; European Market Infrastructure Regulation; and International Financial Reporting Standard 9.

An IT compliance standards program requires a combination of tools to address systems tracking, IT security and audit requirements -- all in the name of guarding data. And as the threat landscape evolves, so will IT compliance tools and processes.

Next Steps

These Exchange and Office 365 tools aid compliance management

Improved security governance budgets aid risk management processes

Simplify and standardize the DevOps tools list

Dig Deeper on IT Log Management and Reporting