Responding to Regulatory Compliance: Microsoft and Manakoa Technology Foundations
By Mark Walla, Senior Vice President – Manakoa Services Corp/Microsoft Security MVP, and
Robert Williams, CEO – Manakoa Services Corp/Microsoft Security MVP
See other Security MVP Article of the Month columns.
Regulatory compliance is shrouded in mystery because regulations often can be extremely complex. Section 404 of the Sarbanes-Oxley Act (SOX), for example, requires corporate officers and board members to demonstrate the existence of governance controls. The specific meaning of this requirement varies by company and often requires substantial interpretation by internal and external legal and business personnel.
With large fines and the possibility of jail looming over the heads of board members and chief executives, regulatory compliance is a top corporate priority. In many organizations, IT is being charged with the responsibility of addressing compliance without additional resources or even a definition of scope for basic tasks. IT professionals thus have an unprecedented opportunity to take on leadership roles in the face of increased responsibility. IT also has an opportunity to engage aggressively and with direction to increase operational budgets while demonstrating operational return on investment … and, oh yes, keeping the boss out of jail.
In this first installment, we attempt to identify the underlying assumptions surrounding regulatory compliance and to provide a starting point for IT professionals to be the focus of the compliance assessment process. Subsequently, we will post articles at our Web site (www.manakoa.com) and through Microsoft on the topics of mitigating problems, applying controls, auditing, and multiple-level reporting.
Demystifying the IT Compliance Challenge
You must first understand the nature of the regulations and how they affect the entire enterprise, not just the IT department. Very few IT professionals have the legal or accounting experience to adequately interpret and enforce laws. Research engines like the Manakoa KnowledgeBase can help slice and dice the regulations and map policy templates to cross-referenced best practices and the regulations themselves. Arming yourself with information is a painful but critical phase in regulatory compliance. You greatly enhance your ability to move forward and avoid potential minefields by taking this research time.
IT Risk Assessment and Mitigation Strategy
Establishing a sound IT risk assessment and mitigation strategy is the cornerstone of most governance and regulations. During the first wave of SOX compliance activities, most organizations engaged armies of external auditors and consultants to perform largely manual assessments. This common approach usually involves basic information gathering that takes a general aim at compliance levels using generic and ad hoc processes, designed by people that are not connected on a day-to-day basis with a corporation’s true inner workings. Such patchwork approaches pull away corporate resources to back-of-the-envelope activities that provide temporary feel-good responses for senior management, but are often baseless in fact and certainly not repeatable.
As IT professionals, it is time to seize the day by mapping technology, people, processes, and policies together. Bring forth your approaches and show how you can increasingly use IT practices to identify current compliance levels and move forward affirmatively.
In a perfect world, high-level management and decision makers would use strategies in corporate governance to enhance their business processes and make better decisions. For example, if a corporation first looked at its assets and then based all expenditures on protecting and enhancing those assets, it would generally increase its value to all concerned.
A plan for Enterprise Risk Management (ERM) and compliance with corporate governance needs to start somewhere. Running and hiding is not an option. In some boardrooms, regulatory compliance surpasses even profit and loss as the top agenda item. Step up and assume the leadership by applying principles of enterprise management and sound security practices.
Starting Point: Applying Technology to the Compliance Process
Let’s now take a look at these management fundamentals and how you can resolve large portions of compliance assessment and implementation through the use of Microsoft Trustworthy Computing initiative principles and products. In particular, we’ll look at Microsoft Windows Server 2003, the Active Directory directory service, Microsoft SQL Server, Microsoft Operations Manager (MOM), Microsoft Systems Management Server (SMS), and the Manakoa software suite.
All risk management plans begin with asset management. Most corporate assets, ranging from a customer contact list to financial resource information, are usually stored on or accessed from an IT-managed device. It seems if we could expand and monitor basic IT security we could meet many of the requirements for corporate governance. Accountability for the confidentiality, availability, and integrity of the assets contained on IT systems must be a primary focus. Some chief areas of concern for all the major regulators include:
Authentication and access controls
User equipment security
Intrusion detection and response
Most of these security areas are highly technical. Decision makers, who may not be technical, need clear automated processes to identify compliance levels and plan resources accordingly. Once management has been clearly directed to where compliance problems exist, cost-benefit analyses can be performed, and sound decisions can be made to protect corporate assets.
In order to build an automated process for managing corporate assets, ownership must be assigned to corporate assets stored on IT devices. We believe that Active Directory, a component of both the Microsoft Windows 2000 Server and Windows Server 2003 operating systems, already offers an excellent place to begin the identification of corporate assets from an IT perspective. And both of those operating systems provide Lightweight Directory Access Protocol (LDAP) implementations and offer access control over the desktop, which is the most common method of accessing corporate assets.
IT personnel assigned ownership will be required to perform in-depth analysis of the current processes and procedures they use to protect those assets. This analysis involves all technical, managerial, and operational areas of compliance with respect to each particular asset. Once these owners complete their assessments, reports can be generated. These reports will provide information to people in high-level management and enable them to demonstrate diligence to agencies that are concerned with a corporation’s compliance to a particular regulation.
A primary objective of IT is to provide management with the ability to demonstrate its current state of compliance and to also produce an audit trail of previous compliance status. Management will be able to demonstrate that assets, with previously identified weaknesses, were fortified with allocated corporate resources. This shows management’s ability to react to its changing environment. Fundamentally, management would be using risk areas to guide expenditure – a first step toward true ERM.
Manakoa Compliance Services software provides a controlled process to assign ownership to assets discovered in Active Directory. Once resource owners have been assigned by a corporation’s compliance team, assessments are performed by employees who have the best understanding of the assets. Meaningful compliancy data is collected and reported using SQL Server 2000 Reporting Services in a format that can be used by both internal compliance and management personnel as well as external compliance auditors. Internal IT staff may use the reports to justify further IT spending. Board members and high-level decision makers can also demonstrate their corporate compliance.
Resources can then be allocated to mitigate identified compliance weaknesses. This repeatable compliance assessment can be repeated as necessary, enabling an organization to react to its changing environment while maintaining awareness of its compliance level.
Regulatory compliance is a golden opportunity for IT professionals to make a greater corporate contribution. Begin with a fundamental education on the core requirements of the regulations affecting your organization and the best practices that apply. Take a broad-based view that marries technology to processes, policies, and people. Utilize IT technologies, like Active Directory, that are already in place, and utilize other emerging products that permit solid, repeatable, and quantifiable results.