Comprehensive IT governance, risk and compliance increases the quality of the IT infrastructure
// by Matthias Rensing
Data & Analytics
Tool-supported solutions ease compliance with regulatory requirements such as those of ISO/IEC 27001 and of the Sarbanes-Oxley Act
The IT infrastructures of companies of different industries - in particular of those in the financial sector - must adhere to an increasing number of internal and external requirements. Among them are requirements from statutory rules and regulations (Sarbanes-Oxley Act), standards (PCI DSS, COBIT), norms (ISO/IEC 27001), and internal requirements. These must be taken into consideration on the strategic level as part of IT governance and have to be implemented via corresponding processes, resources, and guidelines on the operational level. To assess both the effectiveness of the selected measures as well as the adherence to the aforementioned requirements from the point of view of IT compliance, a comprehensive system of internal controls is a prerequisite. The quality of the system of controls and the tight integration with IT risk management processes are decisive. On the one hand, the quality of the IT infrastructure is intended to be continuously improved with this by identifying and analysing IT risks and treating them with suitable measures. On the other hand, the effectiveness and efficiency of audits is influenced considerably, which is motivating more and more companies to invest in a comprehensive, integrated, and tool-based IT governance, risk and compliance (IT GRC) solution.
Symantec Control Compliance Suite provides comprehensive options
With the Symantec Control Compliance Suite (CCS), the manufacturer, Symantec, provides a comprehensive, modular IT GRC toolset with a highly scalable architecture. The modules, seven in total, cover different functional components. These are flexibly combinable and integratable via a uniform CCS infrastructure component, a centrally defined asset system, and a uniform control system.
As such, the data of different modules and data of third party providers can be combined via the infrastructure component and ultimately results in an overall picture with numerous analysis options for risk and compliance assessments. The subject of these assessments are IT and business assets that can be administrated via the asset system. The control system defines the totality of all controls. A control can be put in relation to multiple mandates (statutory requirements, rules and regulations, standards, norms, etc.). As such, on the one hand, a mandate-related reporting becomes possible, and, on the other hand, redundancies on the control level are avoided which could [otherwise] occur due to the direct deriving of controls from redundant requirements of different mandates. The detailed implementation of a control is specified through assignment of technical or organisational tests.
A multi-tiered system of controls helps to avoid costly redundancies
Multiple target-system-specific tests can be assigned to one control in order to be able to have configurations on target systems with different operating systems and operating system versions determined and assessed. In addition to the definition of target values and intervals of individual tests, additionally risk factors can be maintained in order to be able to assess the risk in case of occurring deviations.
Organisational checks can be performed tool-based via the development, distribution, collection, and analysis of questionnaires. The technical tests, on the other hand, are automated via configurable and plannable processes. At first, the raw data regarding the relevant system configurations is determined agent-based (via an agent software installed on the target system) or agentless (via a privileged functional user) from the target systems via one or more CCS servers, and stored. Thereafter, they are evaluated in an analysis process in accordance with the objectives and risk factors defined in the tests.
Multifaceted analyses via dashboards and reports
In the end, the analysis results can be output and published via predefined as well as customised reports and dashboards appropriate for the recipients at different levels of detail and in relation to different mandates.
Follow-up activities such as the accepting of deviations in case of the assumption of risk by a party authorised to do so (exception management), or the initiation of measures for remedying deviations (remediation), are supported in the tools or through integration options such as programming interfaces for connectivity to ticket systems.
noventum supports implementation of Symantec Control Compliance Suite
noventum is supporting an internationally active company of the telecommunications industry in the implementation of the Symantec Control Compliance Suite. CCS is intended to - in the future - be a central component of a new IT service that analyses the compliance and the risks of the IT infrastructure in the data centres operated. The uncovered needs for action are then to lead to measures and continuous improvements of the
IT services executed in the data centres. Another high priority objective is to be able to effectively and efficiently provide the proofs for audits as part of the Sarbanes-Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS).
For the data management of the asset system of the Control Compliance Suite with IT and business assets, an interface was developed based on Microsoft SQL Server and Microsoft SQL Server Integration Services (SSIS). Data from IT and business assets (Unix, Windows, Oracle, MS SQL, business services) is regularly being extracted, cleaned up, integrated, and transformed via ETL processes primarily from the central configuration management system but also from other data sources (e.g. network scanners or locally maintained inventory lists), in order to ultimately import them into the asset system of CCS. What turned out to be a critical success factor in this context was the quality of the processes of the configuration management and alongside it the data quality of the configuration management system.
Process quality and data quality can become the critical factor
The existing control system of the company was revised and integrated into the Control Compliance Suite. While doing so, existing controls of the company were assigned to predefined contents in the CCS (mandates, controls, technical tests) and expanded and/or adapted as necessary. The Center for Internet Security Benchmark (CIS Benchmark) standards pre-defined in CCS, in particular, are suitable to select relevant controls and technical tests. In addition, they provide comprehensive meta data such as detailed descriptions and instructions. In order to ensure a long-term positive development of the IT infrastructure, the controls were aligned with the standard configurations of the IT assets and will, in the future, be taken into consideration in the quality assurance prior to the commissioning of new servers.
For the agentless execution of the controls, privileged users must first be created on the target systems. The effort associated therewith is considerably influenced by how many target systems are being administrated centrally. Due to the distribution of the IT assets across multiple data centres and networks, the routing of the IT assets to the CCS servers reachable by them posed a challenge. In this, the effort is - for the most part - determined by the complexity of the network topology. It is important to place the right number of CCS servers at the right locations in the network in order to avoid corrections after the fact as well as the unnecessary unblocking of firewalls.
Often, the complexity of the network topology determines the effort
The execution and analysis of the controls was configured such by means of various CCS-internal process that each IT asset is assessed once per month. Customised reports, created by noventum, provide the analysis results for different recipients at different levels of detail and for different purposes, such as auditing or follow-up processes for remedying or acceptance of deviations.
For several years now, noventum has been involved in the processes surrounding the provision of proof of a sub-section of the customer's SOX auditing and had considerable involvement in the design of the respective processes. The coordination of the activities and of the involved parties (e.g. auditors, customers of the IT services, teams in the data centres, IT compliance, IT risk management) as well as the reporting in connection with the SOX auditing are among the areas of responsibility of the consultants used. Even though this is an ongoing project, there are already now indications of the added value of the implemented solution. In the last fiscal year it was possible for the time to successfully utilise the Control Compliance Suite for the provision of proof with respect to the SOX auditing and it led to a noticeable increase in effectiveness and efficiency.
The broad portfolio of services of noventum provides for a distinct advantage in the implementation of a comprehensive solution such as the Symantec Control Compliance Suite, since expertise from different services can be applied to the numerous activities. For the project presented here, consultants from different services are being utilised; they are successfully contributing their expertise from the areas of data integration & business intelligence, IT service management, data centre services, IT processes, and organisation.
noventum consulting GmbH