IT Compliance Advisor

Mar 31 2009   2:36PM GMT

Prepare for compliance auditors: Encourage compliance with IT policies

SarahCortes Sarah Cortes Profile: SarahCortes

This post is the second in a two-part series. The first post, “review policies and standards,” addressed the first step in preparing for the auditors. -Ed.

When we last left our hero and heroine, the lone IT operations manager, he or she was about to get a visit from the compliance auditors. Sound familiar? Only, unlike in that big upcoming squash or tennis match, you’re not sure which rule book they will be using to score the games. Unsure against what standard your IT operation would be judged, I advised:

Step 1: Get ahold of your company’s IT policies and standards.

Step 2: Reality check. Do they represent TODAY’s state of your IT operation?

For example, I pointed to your access control policy. Does it say, I asked, “Terminate access rights for all users within 24 hours of employment termination?” Is that really happening, 365 days a year, I queried? And pointed out seven common ways the operation can miss that 24-hour window.

But here’s the good news: If your IT policy said, “Terminate access rights for all users within one week (instead of 24 hours) of employment termination,” you’d get an A on the audit.

So, take Step 3: Revise your IT policies and standards to reflect TODAY’s reality. Don’t let staff companywide get in the habit of tolerating noncompliance with your policies because they are too ambitious in relation to your current compliance level. While you may be trying to set a higher standard to aspire to, there are better ways to do that. Instead, you are just setting yourself up for a BAD AUDIT.

“Sarah, how can you recommend a one-week standard for access termination?” I can just hear you say. The point is, of course I recommend you tighten up your operation and get that one week down to 24 to 48 hours. Just, don’t put it in your policies and standards until it is THERE. If you insist on doing this, it will only get you an “F” on your audit. And there’s nothing in COBIT dictating the time frame. You can determine your own time frame based on a series of factors. I’ll go over those another time, but they give you more leeway than you’d think. If you’ve followed these steps, take Step 4: Sleep easier at night.

If you have any questions about this strategy, let me know in the comments.

Reblog this post [with Zemanta]

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: