Guide to Network Auditing and Compliance

Network auditing and compliance requires education, planning By Denise Dubie

Getting and staying compliant requires IT organizations to follow a few best practices.

Learn regulatory requirements: Compliance becomes overwhelming for many IT shops because they don't have a clear understanding of what various regulations require. According to certified information security manager and independent IT security/SOX auditor Michael Kamens, when an IT shop seems stalled by too many controls, IT executives "can reduce these by having an educated understanding of what the actual law asks for."

Conduct a network pre-assessment: To become compliant, IT organizations must first know their compliance profile. IT executives must review IT infrastructure, application architecture, policies, procedures and processes, and overall network design.

Standardize policies and processes across IT domains: While many GRC efforts start in one domain, IT organizations going forward need to design compliance efforts to address an entire IT and business environment. "Organizations are beginning to define their organizational structures, business processes and technology architectures to implement an infrastructure that effectively defines, manages and monitors GRC," Forrester Research reports. "Often this endeavor starts with a single area of GRC and is aimed at moving to encompass other areas over time."

Educate IT and company users on compliance policies: No policy-based efforts can succeed without the user community understanding, accepting and practicing the policies. IT executives working toward compliance must conduct education and training exercises with both IT and corporate users to ensure they following the set of policies and procedures designed to keep a company compliant.

Monitor ongoing compliance: Once policies are established and systems are standardized in line with regulatory requirements, IT executives should invest in tools to monitor network and system access to prevent compliance creep. Such tools will help IT shops stay on top of actions taken in the environment or misconfigured network and system elements and remediate the problems before an audit.

Key issues to consider before buying into network auditing, compliance tools

By Denise Dubie

Not all network audit and compliance technologies are created equal. IT organizations should consider a few criteria before investing in a tool.

Agent-based vs. agent-less: As with most management products, compliance management tools may require an agent on or near the environment being monitored. Depending on the budget and labor allocated GRC, IT executives should determine if agent-based or agent-less technologies are a better fit for their environment.

Third-party system support: Most GRC tools must collect data across multiple network devices and systems to learn and maintain the compliance profile of the environment. Check with vendors to see if they have hooks into specific infrastructure or application environments and ask how much integration work will need to be done upfront to start managing compliance.

Best practice framework intelligence: IT organizations embarking on compliance efforts can sync up those efforts with IT process improvement initiatives already under way. For instance, if a company is tackling ITIL, COBIT, Six Sigma or Capability Maturity Model, IT executives should ask potential GRC vendors if they have incorporated any of that process expertise into their products.

Vertical industry alignment: Depending on the nature of the business, tools designed to address regulations in financial services, manufacturing, retail or other industries can help IT shops get up-to-speed faster on what is required for compliance. Some vendors also focus on multiple regulations required for specific industries, which can help IT executives tackle these with one tool.

Regulatory requirement insight: In the same vein of industry alignment, companies looking to comply with one regulatory requirement, such as SOX, can turn to vendors specializing in that area. Such tools can report on the environment and data collected from it in the format auditors require for specific regulations.

Network auditing market moves to automation

By Denise Dubie

As enterprises take a more methodical approach to compliance, network auditing and compliance vendors are looking to make the job easier by automating more steps and improving the documentation features of their tools. Vendors continue to improve their products by adding fine-grained policy controls, measuring how often users follow policies and mapping reporting capabilities to specific regulatory requirements.

Companies ranging from governance newcomer Brabeion Software to management heavyweights CA and IBM to configuration player Solidcore have enabled their products to track compliance by adding support for detailed governance policies and continual monitoring.

Brabeion's software taps a library of content detailing the controls IT managers are required to provide to SOX auditors, for instance, and it also includes comprehensive information on control frameworks such as Control Objectives for Information and related Technology (COBIT). The company offers the ability to define role-based dashboards that provide comprehensive metrics, and track user policy acceptance and remediation efforts, among other things.

IBM conducted discussions with hundreds of CIOs to identify the compliance triggers IT executives deal with in their companies, such as the ability to quickly respond to a request for legal discovery. That feedback helps Big Blue instrument its technology to collect data relevant to such a request and develop a report that satisfies auditors. And it represents a vendor trend to move compliance efforts out of the silos of IT and across environments to address workflows that touch many IT domains and span the network.

"The practice of [governance, risk and compliance] has evolved from siloed applications, documents and spreadsheets to enterprise content management in order to manage compliance documentation," Forrester Research reports. "Now there is an increased focus on supporting GRC through the use of business process management, rules engines and automated compliance monitoring, as well as advanced analytics and dashboards."

Industry watchers warn that the features provided in such compliance management software can only address IT processes and policies as defined by the IT organization, which requires shops to maintain up-to-date and relevant compliance standards. Also, IT shops must continually work to align their compliance policies with their specific businesses. "Every industry is regulated now, and there isn't one product that provides compliance rules for all the regulations. Compliance requires ongoing process and policy improvements," says Burton Group's Mike Neuenschwander.

Network auditing and compliance: How does it work?

By Denise Dubie

Suppliers of several types of management software are addressing compliance concerns by delivering tools that do everything from sounding alerts when systems drift out of whack to automatically remediating problems and generating reports that can be used in audits.

The general idea is that once a company determines how to be compliant and has policies in place, network, system and security management software can automate the processes needed to stay compliant. That can range from tracking and documenting changes to monitoring system access and usage to producing reports specific to regulations. Configuration, desktop, and identity and security management wares are being pushed as compliance tools to help IT teams monitor and document compliance efforts.

Network auditing and compliance tools use scanning and monitoring technologies to track access to critical devices and ensure actions comply with policies. The products collect data and maintain detailed records, sometimes in the format required by regulatory compliance demands.

Network audit and compliance software, at times packaged in appliances, include components such as audit, compliance and database servers. Audit servers run scans, while the compliance service analyzes and processes the scan results, and the database server stores raw and processed data. Compliance managers typically tap a Web-based console to view data collected and generate reports.

Products used to audit environments typically run on a scheduled basis and alert IT managers of changes. The managers can then address the action and document the efforts, easing reviews by external auditors. Most tools don't take automated action to prevent a non-compliant behavior, but some can lock down access to specific systems if there is not a known policy to enable such access.

Compliance is a moving target so such tools must be updated with policies and continue to run after an audit proves successful to prevent compliance drift. At that point, the technologies are used to maintain an environment in a compliant state and provide documentation of the ongoing compliance.

Subscribe to the Best of PCWorld Newsletter