The law generally lags information technology, requiring much time and casework to deliberate upon the novel criminal opportunities it presents. But the law is starting to catch up — and is casting its baleful eye on the way IT departments handle information.
Many of the recurring problems analysts observe in the scramble to meet compliance requirements stem from the fact the IT area is relatively immature, without standards, processes and procedures to deal with risk.
At the core of most compliance projects is the need to implement or document processes and the controls put in place to manage IT risk. “There’s not a lot of education within IT departments about what a control is,” says Will O’Brien, partner at The Manta Group. “A lot of controls exist but they don’t see them as controls or don’t understand how something can be a control. There’s a lot of logging going on but it’s not a control unless someone looks at it.”
Segregation of duties is a well-understood control concept in accounting departments — the potential for fraud exists if the person who prepares cheques also has signing authority. But that relationship is more obscure when dealing with nebulous access rights to data. “Database administrators’ backdoor access is an area where there haven’t been a lot of formal documented controls,” says Laurie Wall, project manager for SAS 70 initiatives at Cap Gemini. “We are having to implement a lot of additional controls…to demonstrate that only the right people have access to the right data.”
More broadly, change management procedures to segregate development and production functions are also a recurring issue. Without proper segregation, testing a system under development may have a deleterious effect on the live production system and the integrity of the data flowing through it. Since it is costly to duplicate and maintain separate platforms for these two environments, there is a certain amount of overlap in many organizations. “Certain levels of knowledge and people working in teams have to be checked and reviewed, and sometimes the teams have to be broken up,” says Lane Leskela, vice-president and research director at Gartner Inc.
IT departments have to work with many areas like legal counsel, audit and finance — all areas with their own specialized jargon — to translate high-level regulatory requirements into specific system requirements.
“Organizations need to have a common taxonomy or dictionary of definitions so they’re all speaking the same language,” says Wall.
Speaking the same language, in turn, implies a need for a conceptual framework all parties can use to understand and manage risk. An alphabet soup of control frameworks exists, but three are gaining the greatest acceptance for compliance projects: COSO (Committee of Sponsoring Organizations of the Treadway Commission) is an enterprise risk framework that covers all business risks, and has been highlighted as the preferred framework for Sarbanes-Oxley; COBIT (Control Objectives for Information Technology) is a sub-set of COSO which deals specifically with IT risk; and ITIL (Information Technology Infrastructure Library) is a process framework of best practices for IT service, support and delivery.
“Organizations that don’t have documented IT processes…can use ITIL to document them, use COBIT to control processes, and plug those controls back into the COSO framework so you have that lineage,” says O’Brien.
But implementing controls has pitfalls. Complying with different sets of compliance requirements can lead to wasted effort. “Lots of organizations have one set of consultants in doing PIPEDA compliance, another set doing Sarbanes-Oxley…so they’re really duplicating their expenditures,” says O’Brien.
Gartner’s Leskela agrees: “Organizations should seek to eliminate the total number of controls that need to be managed. Find the common denominators between one level and another, without redundantly going through an entirely new set of principles or bureaucracy or new control framework.”
IT governance can eliminate redundant efforts by establishing the rules and regulations — one central process — for managing all IT functions. “A good governance program can help organizations comply with any kind of legislation or regulation that comes down the pipe,” argues O’Brien. “When you talk about Sarbanes-Oxley or PIPEDA or whatever, what you’re really talking about is controlling data integrity. If you’re designing a control to maintain the integrity of data, does it matter what the data it is, whether it’s customer data or financial data? No. So do it once and use it many times.”