90 likes | 208 Views
The advantages and limits of compliance automation - what works, what doesn't and why?. Eoin Fleming. The Problem. There are an estimated 20,000 regulatory instruments and laws worldwide that affect Information Technology
E N D
The advantages and limits of compliance automation - what works, what doesn't and why? Eoin Fleming
The Problem • There are an estimated 20,000 regulatory instruments and laws worldwide that affect Information Technology • Every year there are new and more onerous audit requirements being placed on Businesses – newest being EuroSoX, E-Discovery • As the size and frequency of audits go up – costs go up, impact on staff goes up (both on IT staff AND business staff) • At the point now that audit and compliance are impacting on business flexability and competitive edge. • Audit is too freqent, too expensive and too demanding for organisations to keep up – and its getting worse. HP Confidential
What can be done? Audit has traditionally been a highly manual process Typical audit process. Start Here HP Confidential
What can be done? – Graph shows typical compliance “rollercoaster” here measuring inactive users for SOX Audit is a wasteful process because it’s a series of “once off’s”, after the audit everyone relaxes and things go back to the way they were – human nature. Audit Audit HP Confidential
What’s the ideal? Auditor self service and continuous compliance monitoring How to achieve? Automate as far as possible the key security and compliance indicators that auditors always look at Give the internal auditors access to the monitoring tools NOT JUST WHEN THEY ARE CONDUCTING AUDIT BUT ALL THE TIME Give external auditors access to the same tooling – less disruptive as otherwise you have to install/de-install theirs. HP Confidential
What the ideal process looks like- No audits other than statutary HP Confidential
Trade off’s HP Confidential
What automates well – what doesn’tGreen=good, Red=poor Staff training ie CBT PUA/UAM enforcement and reporting Security Incident Management Compliance and regulatory reporting to ISO and ITGC’s Metrics KPI/KRI’s Antispam/antiviirus Centralised Log management and reporting Active Security Response capability IPS Vulnerability Scanning Security Configuration mapping penetration testing Control Self Assessment System “hardening” Operational Risk Management HP Confidential
What should not be automated (yet) • Business risk management – operational risk automates well but impact judgement has to be manual • Penetration testing (if done) automated approaches are not up to the job yet • When considering this approach involve your internal and external audit teams from the start – they are facing the same challenges and their agreement is critical to the success of the process. HP Confidential