IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Wed, 1st Apr 2009
FYI, this story is more than a year old

How IT can restore sanity to the audit cycle.Now, more than ever, it’s vital for businesses to ensure compliance is at the forefront of business concerns. Failure to meet compliance guidelines could result in financial penalties, or the suspension or revocation of a company’s right to accept or process credit card transactions. In some jurisdictions, compliance violation-related fines could be as high as $500,000 per incident and the cost-per-data-file could reach around $300. Even more concerning is the possibility of a data breach, which could cost a company millions and impact the brand. The current economy means businesses can’t afford to be negligent. With systems and tools now available that make compliance easy to maintain, with automated controls and reporting across an organisation’s entire IT infrastructure, businesses that fail to implement will fall behind, incurring unnecessary expense, time and labour in the process.PCI DSS One compliance policy which experienced increased global attention is the Payment Card Industry Data Security Standard. This is designed to protect cardholder account data from theft and fraud. All organisations that perform or process credit card transactions must achieve, maintain and improve PCI compliance by implementing file integrity monitoring controls on the technology that supports these transactions. It’s the norm for the virtualised infrastructure, involved in transactions and retail points of sale technology, to be included in PCI audits. Lately, with Visa making more noise and becoming more stringent about every level of PCI flow, it should be a company’s standard.The audit trapIn addition to PCI, organisations now need to prove and maintain compliance to a growing list of policies, such as SOX, FDCC and COBIT for those companies operating in the US. With multiple policies and standards to which to adhere, many companies are taking a concentrated approach to compliance, which has gone beyond the traditional box-ticking exercise performed to appease auditors.For the majority of businesses, the compliance and audit process contains not just an investment in time but also an assortment of large and hidden costs. The traditional audit process is expensive, requires a lot of preparation, and the process itself is complex, time-consuming and labour-intensive. Added to this, without a method of monitoring compliance in real time, the traditional audit process doesn’t add any value to the business, as compliance is fleeting due to rapid change in the IT infrastructure. As time goes on, businesses continually move further away from the compliant state, resulting in repetition with the same amount of effort and cost for the next audit.Compliance is becoming such an important issue within organisations, many companies are elevating compliance officers to board level. As compliance status also affects the corporate reputation and brand, especially among the larger financial organisations that store a lot of information, it’s essential that a board member holds responsiblility for ensuring the role of compliance is highly visible. How IT can help IT can help mitigate the risk associated with system changes, which creates compliance breaches. Automated processes could be put in place to ensure businesses don’t have to rely on manual monitoring and no longer have to try to fix problems post-audit.By implementing software such as configuration assessment and change auditing, businesses could gain configuration control of the entire IT infrastructure. Software ensures organisations get IT configurations into a compliant state and continuous change auditing enables organisations to maintain that state. By generating an audit trail of any changes made with configuration assessment and change auditing software, organisations also have the evidence they need to easily prove continuous compliance. This is helpful in passing audits with fewer dedicated resources and helps avoid high-profile breaches like those in the US where companies passed the PCI audit at a point in time. IT can cut costsAutomation delivered through IT provides continuous compliance, reducing the risk of data breaches. Configuration auditing and control software also reduces costs by providing a full audit trail of every system event, from unauthorised access attempts and onwards. The complete visibility of every change provides auditors with rapid insight into the compliance policies, and the level and effectiveness of enforcement. IT does not remove the need for regular audits; the third-party audit process will continue to be a core component of governance. However, the provision of an automated audit trail simplifies the process. This not only results in a significant reduction in the corporate risk associated with non-compliance, but also dramatically reduces ongoing costs. The regulatory burden is increasing, as organisations can’t afford to be intermittently compliant; the risks are too great and the costs of manual audits are high. Key considerations 1. IT systems are in a constant state of flux. IT directors need to take new technologies, such as virtualisation, into consideration when implementing compliance policies and be sure auditing and monitoring software can accommodate such technologies. 2. Keep compliance policies flexible to adapt to business change. With organisations constantly merging there is also a need to be flexible to adapt policies to incorporate new systems. Go through the necessary steps to align systems with the rest of the organisation. This can only be done when processes and procedures are clearly defined.3. View compliance as a constant component of the business. Keeping systems in a compliant state is about more than answering an auditor’s questions and being able to avoid late night emergency calls. Most importantly, compliance is about data and configuration integrity, stable systems, increased security, operational efficiency and cost-effective practices.Since 2005, over 280 million records have been involved in security breaches worldwide. In January of 2009, intruders hacked into Heartland Payment System computers used to process 100 million payment card transactions per month. In 2007, TJX reportedly spent $202 million in response to a breach that compromised cardholder account information for as many as 40 million customers. The money is being used for over 20 lawsuits brought against the company by banks and customers in the US and Canada, and to pay settlements with credit-card associations.Achieving a state of compliance results in a secure IT environment. IT tools available today make it easy for businesses to assess, audit, assure and automate the processes involved. Companies that make use of these tools will save themselves a great deal of grief and can achieve peace of mind during such tough economic times.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X