Does every audit check cause you nightmares? Do you find yourself dreading what kind of information your auditor will call for? Do you wonder whether you will be able to provide the information? Do you heave a sigh of relief if you get certified as compliant at the end of the audit and wonder how you managed it? You would not be thus embarrassed or agitated if you but remember that ‘compliance’ is not a set of items extracted from logs and configuration files to be ticked off by an auditor. It is a process, a project that must run in parallel with every data protection and data backup project that you undertake.
Compliance with reference to data generation, transmission and storage is a strategy with emerges from a sound understanding of the demands to compliance and the needs of the organization. A compliant business is one that integrates standard data generation and storage processes with security guarantees and continuous compliance. The compliance protocols must extend to physical and virtual environments. The intent to compliance implements best practices for security, data availability and protected access to IT resources.
The process of continuous compliance is often initiated with an exact inventory of the state of available infrastructure vis-à-vis the compliance requirements with an evaluation of data generation, transmission and storage protocols. Once this is known, the gaps in compliance can be cemented; standards can be created and every new server purchased or virtual environment created for data generation, transmission and storage can be measured against the compliance standard so determined. It will also be strategic to put in place a policy of data system scans at judicious intervals to ensure that data files are not damaged or changes have not been effected to data files by unauthorized entities between audits. In other words, the organization creates an accurate current status record and a system of verification that ensure that deviations or changes are all authorized.
Continuous compliance requires security of access to physical data resources and electronic data storage resources. It demands that the security awareness and implementation extends beyond data storage to the generation and transmission of data. So, continuous compliance implies that the organization meets the minimum standards required with regard to authentication and authorization systems and the soundness of the user management controls on customer information. In other words, the organization needs to ensure that only authorized users have access to physical and electronic IT data resources and customer information is handled only by persons authorized to do so. Organizations may also need to ensure that the customer data is encrypted and secure while it is being transmitted across networks and the key to decryption is available only to authorized individuals.
All the above efforts will make for faster and simpler compliance. It will keep the IT and audit on the same page and will help the operations teams figure out how to make changes intelligently and securely without compromising compliance. There will also be visibility across security and operations for policy making and monitoring of privileged accounts through any modification that may be required. Risks of non-compliance are reduced and audit teams can be presented with reports that show that the compliance rules exist for physical infrastructure and also for the virtual environment.
To summarize the steps to compliance:
- Make an inventory of existing infrastructure and systems
- Examine the items inventoried against compliance standards
- Create standards of compliance
- Cement the gaps between existing infrastructure and compliance requirements
- Measure every new virtual or non-virtual environment against standards defined
- Understand security risks and limit access to physical or electronic resources using authentication and authorization protocols and management controls
- Monitor changes to existing data and ensure that such changes are carried out by authorized personne