Automated Risk and Compliance Management for proactive and cost effective IT risk and compliance management

(13/03/2009)

As organizations rely more heavily on IT infrastructure to support critical business applications and processes, a Perfect Storm has emerged for IT Risk and Compliance Management. It is formed due to intensification of three colliding drivers:

Business Exposure:
• Achieve and maintain compliance with internal best practices or regulatory mandates.

• Proactively reduce IT risk exposure – despite thousands of new and highly sophisticated cyber threats and vulnerabilities.

• Proactive reduce availability exposures – despite daily network configuration changes.

Resource Constraints:
• Reduce resource dependency – due to financial pressures or inability to find skilled resources, achieving operational efficiency is now mandatory.

IT Complexity:
• Manage increasing IT complexity - due to the number of systems, diversification of vendors, inefficient processes, and new technologies.

According to industry experts, these three drivers will continue to intensify. The Perfect Storm is here to stay as long as IT Risk and Compliance Management is addressed through inefficient and costly manual processes. One way to find safe harbor is emerging, however, through the deployment of a proactive, automated, and cost-effective approach.

Automated Risk and Compliance Management (ARCM)

The Perfect Storm can be completely circumvented through the deployment of ARCM solutions. Since 2004, ARCM has aimed to move away from reactive security and compliance programs to more proactive, measurable, and predicable best practices. Some of the largest and most security-conscious organizations with large, complex, constantly-changing global networks have saved time and money through ARCM. These organizations can identify IT risk, threats and vulnerabilities as well as compliance exposures in minutes versus days or weeks. And ROI is often realized in a few months despite increased complexity and rapid change.

ARCM solutions should contain four key technical capabilities:
• Modeling
• Analytics
• Predictive or What-if Capability
• End-to-end Automation

The benefits are:
- Modeling allows organizations to conduct proactive analysis, assessment and management of risk and compliance exposures without affecting the IT environment.
- Modeling, analytics and predictive capability enables an in-depth understanding of the past, present, and future.
- Automation enables fewer resources to drive complex decisions based on facts rather than subjective assessments. Risk and compliance exposures and their business impact can be quickly assessed in a few minutes – a process that today can take hours, days and even weeks.
- Fewer resources required to get the job done - even within complex and heterogeneous IT environments.

These benefits produce meaningful and measurable business results:
- Annual process savings of 80%-95%
- Reduce staff load and rework
- Improved IT security and availability –continuously verified
- Compliance assurance – despite rapid change

According to organizations that have deployed ARCM, there is no other way to accomplish the above, even with unlimited human resources. The characteristics of ARCM solutions are:

• Used each day to solve complex operational challenges
• Should not add another layer of security or information silo
• Establish a unified view whose intelligence can be quickly analyzed to drive critical decisions
• Should seamlessly integrate with existing IT infrastructure and perform all analysis off-line so that the production environment and business applications are not disrupted

ARCM Relationship to IT Governance, Risk & Compliance (IT GRC)

With so much noise surrounding IT GRC, many organizations have become confused as to what does IT GRC really means and how it fits. According to industry research reports, the IT GRC market space will be composed of strategic business frameworks (aka: Framework vendors) and tactical operational solutions (aka: Risk and Compliance Management vendors) each designed to address different business challenges.

IT GRC business frameworks substantially help organizations implement CobIT, COSO, ITIL, ISO or other control frameworks. They aggregate IT control-related information across IT programs and periodically report the organization’s governance status. IT programs include, but are not limited to, identity management, risk management, compliance management, change management, configuration management, and more.

The goal is to help organizations report with a systematic and enterprise-wide approach on IT controls and governance initiatives. Therefore, they can help:
1. Define IT policies, processes and controls based on best practices
2. Map policies to technical controls
3. Report on control framework implementation status and effectiveness
4. Automate the governance of these elements

On the other hand, risk and compliance management solutions are used in an operational role on a daily basis by the security team and IT operations to identify, measure, or manage technical security controls necessary to reduce IT risk or compliance exposure. These solutions collect configuration and log information from network devices and other IT information systems such as patch management, vulnerability management, and asset management.

Automation is usually incorporated to enable the organization to demonstrate a measurable, repeatable and efficient methodology for IT risk and compliance management:
1. Identify, measure, and manage security risk, threat or vulnerability exposures
2. Assess the effectiveness of technical security controls
3. Support the change management process
4. Automate the processes of these elements

The benefits are:
• Improve IT security and verify if technical controls are compliant with corporate policies
• Maximize existing IT investments
• Scale to meet current and future needs
• Reduce resource dependency - saving time and money

ARCM solutions provide critical information to the IT GRC framework solutions in support of a broader IT GRC mandate.

ARCM solutions are now turning the talk of proactive and cost effective IT risk and compliance management into reality - and helping organizations safely navigate the Perfect Storm. Looking into the future, ARCM will evolve to: Automate many processes throughout the entire IT stack; serve as a much needed “Database of Record” for the state of IT security and compliance; and Integrate within the organizational IT and security management eco-system.

SkyBox Security is exhibiting at Infosecurity Europe 2009, on 28th – 30th April, www.infosec.co.uk

Related topics:  Security management and policies   White papers 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources