Maintaining compliance in a world of constant change

Robert Childs examines four steps information security practitioners can take to ensure that their compliance efforts are maintained and kept up-to-date.

Fall is near and year-end is not far off, a time of colorful leaves, cooling temperatures, holiday thoughts --...

and Sarbanes-Oxley (SOX) auditors. That's right, 'audit season' is upon us. I hope you've updated and improved your controls, because what was 'OK' last year just may not be OK this year. Why, you ask? Three things: change, auditors expect improvements, and more change.

When Sarbanes-Oxley came upon us, the big challenge was to 'get compliant.' Well, most of us survived the initial rounds and got our various control processes updated, implemented and documented. Now, the real challenge is how to maintain compliancy and improve upon it. Today's business environment presents challenges and constraints to our compliance processes:

  • Technology and business boundaries are constantly changing, expanding.
  • New technology brings new risks, new processes and thus new compliance issues.
  • Businesses still need flexibility to remain competitive – rigid control processes can hinder flexibility, thus hurt business's ability to operate effectively.

Without a defined process for maintaining and keeping controls up to date, you will find that many of your controls will soon be 'out of compliance' due to normal changes in your business and IT environments.

Keeping up with change: An ongoing process

As change is constant, you should have a process for continuous improvement of your controls and compliance efforts. Having a defined and documented improvement process will show good 'due diligence' to your auditors.

Here are some steps and suggestions on how to keep up with changes and ensure your compliance efforts don't get lost in the daily change shuffle.

1. Monitor new or potential legislation and regulatory pronouncements.
New legislation and regulatory rules are always in the works for information security, privacy and other related business controls. Some are refinements and new interpretations of existing laws. As a security or compliance professional, it is incumbent on you to keep up on the latest legislative and regulatory actions, and to interpret the new rulings in regards to how they may affect your company. Here are some tips for keeping up on regulations:

  1. Identify and subscribe to services that monitor and alert you to new and upcoming regulatory rulings for your specific industry.
  2. Inventory current and upcoming (potential) regulations.
  3. Include local, state, federal, international governing bodies in your research.
  4. Identify upcoming or potential new laws, and determine potential impact and risk to your organization.
  5. Keep business management, Compliance Officer and Legal Counsel updated on new legislation.

2. Define requirements to meet new compliance requirements
For new legislation or regulatory requirements, you will need to analyze and determine the steps needed to bring your organization into compliance. Here are a few steps to follow:

  1. Perform a risk assessment and gap analysis, if not already done
  2. Get business management involvement
  3. Identify business and IT processes affected
  4. Define business requirements
  5. Create/update policies that support new or changed compliance needs
  6. Define technical and system requirements
  7. Implement changes

3. Integrate with change control processes
Make use of your change control process to help ensure controls and compliancy are maintained over time. Modify your change management practices to include a check and verification for controls and compliance requirements. Any changes to applications and systems should include a review and update to the control processes before being allowed into production. Controls processes, like other system functions, should be tested. The Information Security Officer or appropriate IT compliance manager should sign off on all changes to ensure controls were properly addressed and updated, and meet regulatory requirements. Also, for SOX related applications, changes should be scheduled and timed so as not to cause issues at quarter or year-end audit controls testing. If new controls are implemented too close to the end of a year, then auditors may not be able to test the effectiveness of the control, creating issues in their audit findings.

4. Integrate with project management process 
Modify your project management methodology to include meeting regulatory requirements as a deliverable success factor for each project. This will help ensure all new systems and applications meet regulatory requirements. When defining business and technical requirements for a new system, include identifying and defining the regulatory and controls requirements. These should be considered up front and integrated into the system requirements and functions. The controls should be tested along with the other functional and system testing. The final approval to move a system into production should include a review and approval of the control processes. If you can, get your Internal Auditor to review the controls design for new systems during design and before implementation. If there are issues, then you can resolve them at less cost than having to redo something after the system goes into production and creates an out of compliance issue.

About the author
Robert Childs is the Vice President and Information Security Officer for First Community Bank, in Albuquerque, NM. Sarbanes-Oxley, GLBA and other compliance requirements are just some of the regulatory issues he works with each day. Childs has more than 27 years of corporate experience in both management and staff positions, including over 9 years in information security and 11 years in IT auditing. Childs is a Certified Information Systems Security Professional, Certified Information Security Manager and a Certified Information Systems Auditor. He is President of InfraGard New Mexico Members Alliance, a non-profit organization sponsored by the FBI for the purpose of sharing security information on critical infrastructures between private industry and government entities.

Dig Deeper on Managing governance and compliance