The Compliance Challenge for IT

What challenges does the IT department face regarding compliance? Its primary function is to implement and maintain technology to support business goals. However as the complexity of modern IT increases, so does the corresponding risk. A core requirement of any compliance strategy is to understand the nature and volume of risks that an organization faces and implementing appropriate controls in order to manage these effectively.

What is ‘risk’?

A commonly used approach can be summarized as it being a function of Likelihood and Impact (Risk = L x I), with Likelihood in turn being defined as a function of Vulnerabilities and Threats (L = V x T). An increase in any one of these factors will create a corresponding increase in the overall risk.

IT risk has risen significantly in recent years and, in response, most organizations have implemented a range of security policies, processes and devices to better manage this risk. This growth in security devices (and IT systems) has resulted in an increase in the number of generated events. Understanding these security events is vital for anomaly detection, continuous control, and forensic and audit investigations.

A resulting requirement is to provide the capability to access and classify the different categories of security-related event information and thereby identify potential risks to the IT systems.

How are risks managed?

Control is vital to compliance. Risk mitigation is usually achieved by the judicious selection of security controls. With this in mind, organizations are increasingly employing a common control framework in order to manage their regulatory compliance activities. Examples include COBIT, ITIL and the ISO/IEC 27001 series. Such frameworks offer a number of control objectives and controls, particularly in relation to IT risk management and information security, which the organization must choose and document in their Statement of Applicability.

Collecting and analyzing event information is a compliance challenge – the problem is that few organizations have neither the expertise, nor the time to do this. This leads to an audit gap in the compliance process.

A solution comes in the form of a security information and event management (SIEM) system. This can provide dashboards and reports that are independent of the various technology solutions storing and securing data.

Does SIEM help in practice?

Our own client-base shows how SIEM tools can deliver real benefits. For example, Adecco, a multinational leader in the recruitment market, uses SIEM as part of its monitoring, reporting and archiving processes to ensure compliance with Sarbannes-Oxley.

Compliance requires so much information to be managed, controlled and made readily available that the overhead becomes a burden. It is vital the organization minimizes the time taken to handle the information produced by the various controls and yet still provide quality information that is capable of evidencing their compliance.

What are the steps to successful compliance?

Our experience indicates that the key steps in addressing the compliance challenge with a SIEM project are to identify stakeholders and obtain their buy-in; define clear, measurable business deliverables for the project; ensure that the team is made up of the right people, with the appropriate skills and resources; simplify and pre-tune the IT infrastructure; phase the roll-out; and ensure continued SIEM integration with the business.