Demystifying Compliance

Demystifying Compliance
Compliance is high on the IT agenda. What does it involve?
Compliance on the IT Agenda Myth #2: Compliance is an IT security issue.
Compliance is high on the IT agenda today, yet no one seems to The reality: Sure, a lot of compliance mandates have a security have a clear picture of what it really involves. Inconsistent dimension because they are trying to control the risk of things like interpretation by different auditors and regulators means what information leakage and sabotage. But just as many mandates are worked in one year's audit could fail in the next. Escalating concerned with the integrity and availability of mission-critical enforcement and penalties and a higher standard for "duty of care" applications, and so preventing, detecting and responding to have organizations scrambling for answers and solutions. ordinary failures matters just as much. And beyond that, there are a lot of mandates that govern business issues such as use of insider Vendors of everything from access control to email are claiming information, which are really outside the realm of IT although IT they address compliance requirements But most companies have a systems play a role in recording the evidence.limited notion of exactly how IT systems relate to compliance. Glib claims of "compliance packages" that are supposed to be total Myth #3: I have to store my original logs for 7 years.solutions for one or another regulation sell the idea that all you The reality: Where does it say that? Almost no mandates, and have to do is plug them in and you'll be compliant. certainly not the most common ones concerning IT departments, Companies or organizations who bought these packages are often specify log retention times. Log retention times are driven by finding out their auditors are still not happy. Even with a variety of assessments of what it will take to service other requirements such solutions in place, IT remains in reactive mode, shouldering the cost as the need to investigate incidents, detect long term patterns, and of responding to multiple requests for new reports, access to new prosecute intruders. You may want to keep 7 years available, but you data sources, and specific investigations. may choose different strategies for more recent vs archived data.
IT is also finding that the need to lock down access to data sources Myth #4: A speci!c set of reports will make me compliant.and systems is the hidden enemy of meeting auditor's demands The reality: See Myth #1. The regulations almost never list a specific and can have a serious impact on the ability to respond to real IT report. There are reports that can clearly assist with particular incidents, problems and failures. requirements, such as the need to review failed logins, but they We're not going to tell you that just plugging a product in and require a lot of fine-tuning for each unique environment. At best, a turning on a few canned reports will make you compliant. Instead, set of standard reports is a starting place. The dirty secret: most we'd like to demystify compliance as it relates to IT and give you compliance report packs are developed by product managers some simple recipes for analyzing your own environment in the reading the regulations and taking a guess at what kinds of reports light of specific mandates. might be helpful.
In the end, your best compliance solution in the face of an audit or Myth #5: I need to buy a commercial solution to be compliant.negligence lawsuit is to demonstrate an understanding of the sprit The reality: Your decision to buy a log management system rather of the mandates that apply to your organization. than roll your own logging infrastructure should be based on ROI. A We'll start by smashing some of the myths about compliance. well designed system should save you on initial development and integration as well as make ongoing log reporting, ad-hoc analysis Top Five Compliance Myths and alerting more efficient. But the regulations don't say you have to buy a commercial system, and the vendors of these systems don't Myth #1: Compliance equals regulations with speci!c actions have any special insight into what it takes to make you compliant. The reality: Most regulations have fuzzy or no detail about IT So if these are myths, what's the truth?implementation. And many compliance demands arise from internal assessments of risk of business disruption or lit... [download for more]