New software from Symantec Corp. may help make it easier for organizations to comply with various regulations like Sarbanes-Oxley and PIPEDA.
Released in March, Symantec BindView Policy Manager 3.0 allows organizations to do three key things to help with policy and compliance management, according to Indy Chakrabarti, product-marketing manager for Symantec.
The offering lets organizations create policies by either importing existing ones or using sample templates provided in the program. Using these templates, it is possible to create a malware policy that states anti-virus is installed, up-to-date and running in the organization as well as attest that people have read that policy.
Policy Manager also allows organizations to validate compliance with regulations and frameworks, something for which many organizations have often struggled, said Chakrabarti.
”It can take large organizations forever to do audits for compliance. They will have multiple audits ongoing and have to redo audits for every regulation in every quarter,” he said. Auditors are usually working from multiple spreadsheets with hundreds of sub-objectives or policies to make sure they are complying with multiple regulations, he added.
Chakrabarti said Policy Manager eases the workload on auditors by breaking down all regulations and frameworks into basic units that are common across all and allows links to those units in order to control statements that might, for example, ensure anti-virus is installed within the organization. Through these links an organization can demonstrate compliance with required regulations, he said.
The software also lets organizations demonstrate compliance. Policy Manager places all compliance information gathered from different IT administrators and anti-virus tools, backup and data protection programs into one location rather than having to obtain the information from individual sources each month. For example, information that showed anti-virus did run on a particular server would be stored with the malware policy.
However, Chakrabarti said Policy Manager only informs organizations that there are compliance problems. It doesn’t fix them. If the program discovers any non-compliant servers or workstations, then a second software program such as Symantec’s Compliance Manager 3.0 is needed to solve the problem.
“Regulations actually require you to have segregation of duties where one person reports on compliance issues and another fixes things,” Chakrabarti said.
James Quin, a senior research analyst with London, Ont.-based Info-Tech Research Group, said using policy management software like Symantec’s provides savings. He said it costs an average public company millions of dollars a year to hire third-party compliance auditors. “Sarbanes-Oxley compliance is a specialized field and requires a significant amount of manpower,” Quin said. Having a tool that easily validates compliance shortens the time required to prove compliance and cuts the cost, he said.
However, Quin reminds organizations that compliance is something not achieved by software alone.
Software programs only establish guidelines and allow an organization to know what needs to be done to ensure compliance, he said. Tools can also set up measures to assess whether employees are actually following these policies. “A product like Policy Manager can’t make you compliant. It falls to employees in an organization to make sure they have read those policies.”
Quin said he believes companies are better off working with a professional consultant rather than using a software program. Regulatory compliance can be an extremely complex process. He said policy management software is useful for general policy management, especially for organizations that cannot afford to hire a professional consultant.