Increased sophistication -- of users, hackers and regulatory compliance standards -- could make 2012 an interesting year for IT compliance officers, experts say. As always, staying proactive and ahead of the compliance threats will be necessary.
There is an increasing focus on business performance and value in governance, risk and compliance, said Brian Barnier, principal analyst at ValueBridge Advisors and one of the distinguished fellows of the Open Compliance & Ethics Group. But Barnier said that if done correctly, meeting regulatory compliance standards can ultimately improve business performance. For governance, risk and compliance (GRC) professionals in 2012, this means increased focus on financial, operational and customer satisfaction performance to meet compliance standards.
“For a GRC leader, this means first tapping existing stills in the organization in areas such as financial performance, operational excellence, business process improvement, quality improvement and organizational change,” Barnier advised. “Then, it means evaluating skill maturity to find and fix the gaps.”
But as GRC continues to evolve in the next year, auditors are adapting, too. Scott Goolik, chief technology officer at ControlPanelGRC Corp., said auditors are more vigilant than ever, and have even started broadening their scope. He said more clients are seeking continuous controls monitoring in their efforts to stay compliant.
“From a compliance perspective, our clients are telling us they are having difficulties with the segregation of duties, user access reviews and provisioning user changes,” Goolik said. “We are also hearing they are having issues with getting into change management.”
The regulatory compliance standard landscape is also becoming more complex as companies expand with mergers and business transactions. This drives higher costs from an audit perspective and could cause compliance headaches in the near future as well, Goolik said.
“What we see in the current economic environment is that most organizations are not adding staff, so they are being asked to constantly do more with less, or do more with the same amount of people,” Goolik said.
Barnier suggested that companies find ways to avoid dead-weight compliance costs. Compliance activities need to be split into those that are related to other business performance benefits -- such as better sales forecasting or product quality -- and those that are nothing but dead-weight burdens, he said.
“Proactively seek ways to combine compliance actions into performance improvements,” Barnier said. “This includes both control design reviews that seek more standardized designs and placement based on root cause -- then continuous monitoring that can provide both assurance and business efficiency.”
Beware the inside job: Check out those access privileges
Brian Anderson, chief marketing officer at BeyondTrust Software Inc., predicts more of an often-overlooked threat to compliance in the next year: the insider impact. There is usually a focus on hackers from the outside coming in, but it’s members of your own staff with too many access privileges who could cause the biggest problems, he said.
Organizations are currently far too generous with access and administrator rights and could easy violate regulatory compliance standards. This is because employees with too much access then can get to other areas of the network they shouldn’t, can look at databases they shouldn’t, and even make changes because they have full administrator rights, he said.
Anderson noted that most of the major compliance regulations -- including HIPAA and SOX -- all have some clause or portion of their core compliancy tied to privacy and access to confidential information, or surrounding the ability to edit or modify confidential information.
“Anybody with full administrator rights can pretty much do whatever they want and then cover their tracks if you don’t have some type of technology that mitigates what they can do, or at least record it so you can remediate the problem if they’ve done something that breaks compliance,” Anderson said.
And, of course, employees do make mistakes. Anderson used the example of a secretary with access to the payroll system and Social Security numbers of every employee. If that secretary has full administrator rights and is accessing that data, simply hitting “email” instead of “print” could create a compliance nightmare for the entire company.
The “Goldilocks” compliance solution
Anderson says companies should be on the lookout for a “Goldilocks” solution – one that’s just right. You don’t want to shut everybody down to the level of a standard user -- then they couldn’t get anything done. But the current Wild Wild West situation, where everybody has administrator rights, does not work either.
A “least-privilege solution” is often the way to go, Anderson said, especially as regulatory compliance standards evolve in 2012.
“A least-privilege solution basically grants privilege based on policy -- therefore, you can only do what you’re supposed to do, when you’re supposed to do it,” Anderson said. “Compliance regulations have very specific policies they are going to have to administrate on a very individual, or role-based, level.”
From a compliance perspective, our clients are telling us they are having difficulties with the segregation of duties, user access reviews and provisioning user changes.
Scott Goolik, chief technology officer, ControlPanelGRC
The continued sophistication of users contributes to the problem. Anybody with a browser can do a Google search on “how do I change admin rights, how do I change policy,” Anderson said.
Putting content filters and other access policy measures in place to make sure employees don’t go on certain sites helps with security, but companies shouldn’t get complacent. Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, said users are probably more sophisticated than they have ever been, so companies need to be even more vigilant in 2012 and going forward.
“What is to stop them from plugging in their iPhone and tethering it to their corporate PC if you are going to shut down too much Internet access?” Marcus said. “I’m much more of an advocate of empowering them to use it by just putting policies in place and security technologies in place.”
Companies should maintain technologies and policies that are prepared for today’s threats, not last year’s. IT officers also must stay up to date on the constantly evolving data breach trends, and how to protect yourself from bad spam links, bad email links and social media use by employees.
“It’s a combination of using the right technology and having a certain sense of suspicion when using social media or when you’re clicking a link in email,” Marcus said.
This means doing your homework – the threats are constantly evolving, so your GRC strategy needs to as well.
To do so, companies need to understand their business environment and capabilities so they know what they’re up against, Barnier said. He suggests creating “what-if” scenarios to test for potential compliance violations, then watching for warnings signs of the "what-if" scenarios materializing.
“Then you can prioritize based on both business performance contribution and the cost/benefit of solutions, and implement high-power solutions that solve multiple problems at once,” Barnier said.
Let us know what you think about the story; email Ben Cole, Associate Editor.