IT controls – the secret of compliance audit success

Regulatory compliance has arguably become the critical boardroom issue of the decade and, because the impact extends to all aspects of business operations, executives are paying ever-closer attention. However, whilst compliance traditionally focused on legal aspects of managing policies, newer legislative reforms such as Basel II and Sarbanes-Oxley are promoting a risk-based approach. All regulatory legislation has a similar impact, requiring you to maintain prove the integrity of your information systems and processes. Herein lies the challenge.

FST. How do pressures to meet strict compliance requirements create particular challenges for companies today and how are they looking to technology to address some of these concerns?
PG. Change auditing is an essential capability to equip the principal executive and principal financial officers (who have the ultimate responsibility for compliance) with the tools needed to meet the evaluation and disclosure requirements of S-OX and other legislation. It allows them to fulfill their duties to implement and certify the existence of internal financial controls.
A key aspect of achieving compliance is accountability, and when management takes ownership of the company’s IT control strategy, this is easily achieved. An effective control strategy must utilise preventive, detective and corrective controls, and must be designed to minimise risk to the business, particularly in areas scrutinised for S-OX and other compliance regulations. For example, for S-OX compliance, IT management should be able to demonstrate that no unauthorised changes have occurred to systems supporting material financial reporting operations.
Although using technology as the enabling framework is an absolute given, compliance with legislation is primarily a business issue, not a technical issue. It should be understood that compliance requires the business to generate, implement and conform to various policies. It is the role of technology to enforce this conformance to policy, to provide the means to prove conformance and to reduce the cost and effort of conformance on a day-to-day basis.

FST. So what exactly is change auditing and why is it necessary?

PG. Controlling IT depends on controlling change, which in turn depends on enforcing change policy with effective controls to ensure that all changes are auditable and authorised, and that all unauthorised changes are investigated. Unauthorised change is the primary cause of unplanned work, unanticipated downtime and business risk.
Auditors increasingly want to see independent change detection and verification – capabilities that demand more than basic change and configuration management technologies can deliver.
Change auditing is about being in control. It reconciles detected changes against tested, authorised changes and provides alerts when change is unauthorised. It reports objectively all change activity, enabling IT to prove the effectiveness of their controls and closes the loop on the change management process. With change auditing capabilities in place, security and compliance processes can therefore be enforced and any attempts to circumvent them will be identified.
When combined with a change approval process that allows only approved and tested changes to be implemented, change auditing increases the availability of information systems, enhances security and instills greater confidence in IT by demonstrating that only authorised and intended changes have been made to the production environment.
FST. And the benefits of automating that process?
PG. The clear benefits of automated change auditing are reduced costs because of the speed and efficiency of detecting, reconciling and reporting all change activity across the entire production infrastructure. In many organisations, the monitored infrastructure is too large and change activity too frequent to effectively monitor changes manually. For automated controls, there is typically no further audit cost after the first time they are audited, and for semi-automated controls there is typically less cost after the initial audit. However, every manual process must be audited each and every year. End-user spreadsheets are classified by S-OX as manual processes.

FST. Can you explain the critical components of your own change auditing solutions and what differentiates them from anything else on the market?
PG. Tripwire provides change auditing solutions that prove system and process integrity to help enterprises comply with regulations, while achieving greater network availability and security. Tripwire Enterprise software detects, reconciles and reports change. It offers unprecedented capabilities to audit change across multi-vendor platforms – servers, desktops, directory servers and network devices. Baseline management allows authorised users to designate ‘known and trusted’ configuration revisions as baselines, which are a point of reference for subsequent integrity checking. Tripwire Enterprise validates system process integrity by independently detecting both automated and manual changes. It includes a comprehensive library of tailorable reports and real-time dashboards that provide insightful performance metrics and trends. It measures the ratio of authorised to unauthorised changes and detailed change history to produce verifiable audit logs. Archived audit trails including device configurations and hash tables provide a comprehensive revision history showing what was done, where, when and by whom.
Tripwire Enterprise facilitates strong internal change controls, giving management and auditors the confidence and supporting evidence that security measures are effective and IT systems operate with integrity. They mitigate potential risks of malicious changes and provide security with a reliable and unbiased view of change across an enterprise.

FST. What is ‘unplanned work’ and how does it affect an organisation?
PG. This is any activity within the IT organisation that cannot be mapped to an authorised project, procedure or change request – in other words, firefighting. Any service interruption, failed change, emergency change, or patch or security incident creates unplanned work.
The percentage of time spent on unplanned work is a remarkably accurate indicator and predictor of IT effectiveness. In fact, research by the ITPI and Tripwire shows that organisations that spend less than 10 percent of their time on urgent and unplanned work also usually have extremely high levels of operational excellence, compliance and security, and have a good working relationship with auditors.
FST. How do you know if you are a high performing organisation?

PG. All high performing IT organisations have in one thing in common, a culture of change management that prevents and deters unauthorised change. The easiest way to gauge the effectiveness of your change management process is to ask the question ‘What happens if someone makes a change without going through the proper procedures?’ How would you know, and how long would it take to find out? Are there detective measures in place to alert management? Are people held accountable for going around the system?

Despite the benefits of good change management and the necessity to audit change, auditors continue to give companies failing marks in this area. In fact, half of all IT audit deficiencies are change related. Why? Because many IT organisations confuse the existence of a process with the effectiveness of a process.

Unfortunately, many IT organisations simply cannot identify the differences between effective and ineffective change management. Yet, successful and auditable change processes lead to effective change management, which drives IT business health.

Over the past five years, there has been significant progress in establishing a causal relationship between key IT controls and IT effectiveness. Research in this area has been spearheaded by the IT Process Institute (ITPI), a non-profit entity whose mission is to study IT organisations and evangelise best-known methods. Through its work, the ITPI found that high performing organisations spent 30-40 percent less on unplanned work, spent less than half the effort on S-OX compliance, achieved twice as much with every security dollar spent, and had four times the server to system administrator ratio, when compared to the average IT organisation. In addition, the high performers deliver the lowest mean-time-to-detect and the lowest IT expenditure per employee ratios.

Among high performers, the key factors to simultaneously increasing efficiency and effectiveness were holding people accountable by properly implementing controls centred on change and access. Essentially, high performers focus on how work should be done in the organisation, who is allowed to do that work, and hold people accountable to ensure that changes only happen within the organisation’s policies.

FST. How, in particular, have changes in the financial services landscape impacted on the challenges facing organisations and their requirements from technology?
PG. A host of new laws govern the manner in which companies gather, secure, use, verify and report certain kinds of information. While the threat of litigation, fines and penalties under these laws may be strong motivation for businesses to comply, many businesses also appear to be using this opportunity to think more strategically about the role of IT in the company’s overall business decision making process. These companies appear to be discovering that a risk-based approach to compliance with these new laws can actually create benefits beyond compliance – specifically, they may be finding that a robust IT controls strategy achieves compliance objectives, while increasing IT efficiency and effectiveness.
Compliance requirements are forcing many companies to adopt more forward-looking corporate IT governance processes and elevate change management from being primarily an IT issue a key element in the larger corporate decision-making process.

FST. What are the main security concerns for financial institutions and how can your solutions help companies to ensure the security of their IT networks?
PG. Many security solutions are about preventing external, unauthorised entities from accessing the organisation’s systems. However, they do not prevent mistakes or a malicious attack from within. Preventive controls are not enough; you also need detective controls and the ability to reconcile changes, both authorised and unauthorised.
As with any organisation, change is a primary, yet often overlooked security threat. IT must now address challenges to maintain a secure state and comply with regulatory requirements. An organisation that uses effective controls to improve its processes typically has far better availability, lower amounts of unplanned work, better security and, incidentally, smoother audits.

FST. Where do companies implementing this change auditing software see the ROI come from, and are there other, less quantifiable benefits?
PG. Tripwire change auditing solutions go beyond basic change and configuration management tools to provide independent detective controls that enable enterprises to reduce operational risk and gain control over IT systems. They also deliver the objective reporting needed to monitor the security of your systems, gain visibility across the enterprise, increase the availability of critical IT infrastructure and provide the proof to satisfy compliance and security audit requirements. As a result, organisations have significant credibility during an audit and this leads to significantly reduced audit costs over time. IT Process Institute found that high performing organisations that embraced effective IT controls spent less than half the effort on compliance.
By auditing change across the network, Tripwire ensures the integrity of IT infrastructure – meeting today’s strict demands for accountability and security of information. Unplanned work is reduced, which lowers costs and allows more time to focus on planned and strategic projects to give the organisation a competitive advantage.

Tripwire Enterprise provides a single point of control for detecting, reconciling and reporting change activity across servers, desktops, network devices, and a growing number of other infrastructure components. For more information, please visit: www.tripwire.com/fst where you can also download copy of Tripwire’s whitepaper, Creating a Culture of Change Management.