During 2007 and 2008, Congress and state legislatures were busy passing, refining and enacting hundreds of laws that require new IT strategies for storing, protecting and accessing organization and customer data.
As compliance and e-discovery practitioners gather at LegalTech New York 2009 this week, one question IT administrators are asking is: "What will happen this year?" With new technologies, a new presidential administration and the global financial crisis, which IT strategies and products will emerge in 2009?
Dorian Cougias, founder and CEO at Oakland, Calif.-based Network Frontiers LLC and the primary architect of the Unified Compliance Framework (UCF), says this will be the year auditors get serious about enforcing those legal requirements. "People right now are just getting a handle on what the rules say," notes Cougias. "We have enough rules. Let's link the 'thou shalt' in the rules to something that can be configured to ensure that the 'thou shalt' is followed."
According to technology and government policy experts, dealing with virtualization and streamlining configuration management will be hot compliance topics in 2009. Examiners will require IT shops that have moved to virtualized environments to prove that those virtual systems are as safe and secure as their physical counterparts. And auditors will begin to require documentation and proof that the regulatory guidelines enacted in the past two years are being followed -- making streamlined configuration management essential, especially in a down economy.
Virtualization's role in compliance
Virtualization is changing the way a lot of things are handled in IT and storage networks, including maintaining regulatory compliance goals. Configuring, maintaining and proving that virtual systems are just as secure as physical systems will become a big issue for companies seeking virtualization's cost and resource savings.
"What we're seeing with the advancements in virtualization found in SAN storage, virtual machine [VM]-based applications and now global file virtualization," says Cougias, "is that organizations are going to have to focus on ensuring that these virtual pipelines move data from a compliant application, through a compliant data network, compliant SAN switch and fabric, compliant SAN device and a compliant file system."
Questions about virtual systems include the following: Who are the caretakers of the virtual systems? And must the virtual system be configured from the beginning to meet compliance objectives?
Cougias says the answer is "yes" to that last question. "In a virtualized environment, if I'm not configuring the storage system to work directly with the application from the get-go, I'm screwed before I begin," he says.
Storage administrators have been coming to grips with virtual machines over the past few years. Now it's time for people on the compliance side to do the same, says Geoff Webb, senior manager, product marketing at systems security vendor NetIQ Corp.
"There are a lot of questions being asked and answers being sought in this space," notes Webb. "As the drive to virtualization continues to barrel along, the security and compliance side is really having to play catch-up."
Compliance configuration, auditing emerging
Cougias says the next two years will cover two steps toward complying with the rules of 2007 and 2008.
"So 2009 will be the year of compliance configuration management and auditing, based on the 2007 and 2008 laws," says Cougias. "Then 2010 will be the year of change management — monitoring and ensuring that configured systems stay that way."
NetIQ's Webb and Chan Yoon, senior manager, product management at the firm, say unified compliance mapping and automation will drive configuration management.
Think of unified compliance mapping as a Babel Fish that translates regulatory double-speak to IT poetry called common controls, and shows you which controls apply to multiple compliance requirements.
Of the 500 or so current regulatory requirements that affect IT operations (which encompass literally hundreds of thousands of pages of legislation), there are roughly 2,500 unique, common controls.
Cougias' UCF, a well-known mapping system, is a spreadsheet with all of the regulatory documents references and corresponding technical controls. It advises in IT speak what must be done to meet compliance requirements and tracks which controls apply to more than one requirement. "One of the neat things we've shown with the UCF is that 87% of all the controls overlap each other," says Cougias. "Even if something new comes out in 2009, there's almost a 90% chance that if you're following one of the other guidelines, you're already good to go. You just need to prove it in an audit."
With the ICF and its support resources, you can determine what you need to do to meet your compliance mandates, as well as how fulfilling one requirement may meet another regulatory requirement.
Configuration management automation is another tool emerging in 2009 to rid IT administrators of their compliance nightmares. "What we'll see in 2009, and what we're having vendors ask about, is how to take a common control identifier, configure it and produce a report that makes sense to auditors," says Cougias.
Jim Hurley, managing director of the IT Policy Compliance Group USA, an industry group that promotes research and information to help IT security professionals meet policy and regulatory compliance goals, says automation may be the only way organizations can meet their regulatory requirements and stay in business.
"If [organizations] continue to do everything by hand, they're going to continue to overspend [to meet their compliance goals]," says Hurley. "If they start automating some of the procedures and the testing of those procedures against the policies, and they take the auditors advice to maintain their controls and documentation, they're probably going to be OK. You can't get there from here with people. You have to automate that kind of process."
Combining unified compliance mapping and automation is key. "That's where you really get the savings," says Cougias. "Where you can [identify common controls] and use the automation process with little or no overhead — that's where you can become a bigger friend of the CFO [chief financial officer]."
Regulations heard around the world
Hurley says we can expect to see movement toward standardizing worldwide accounting practices and risk management over the next year. "From everything I'm hearing, this is being looked at from a worldwide perspective," he says. "Rather than something being done just in New York, Hong Kong or another financial center, it really needs to be done around the world."
Hurley also sees more attention being paid to the gap between IT, accounting and auditing teams. This is especially true as he sees some new banking regulations coming out of the Switzerland-based Basel Committee on Banking Supervision (BCBS). These will "send shockwaves through the IT community over the next two or three years," says Hurley.
Unlike unpopular political administrations, government regulations won't eventually go away. Well-known legislation like the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act (HIPAA) will only grow in importance and application as technology allows organizations to gather and store more personal data. Implementing a solid governance risk and compliance management solution now may save your organization from more government attention, save money and even save your job.