Information Systems Audit and Control Association

Compliance officers discuss business, IT alignment at ISACA conference

This guest post is from Joe Hewitt, an IT compliance specialist for American Honda Finance Corporation.  His views do not represent those of Honda, any of its divisions, or employees.

The 2009 ISACA International Conference held in Los Angeles had a much different feel than those of the past.  While IT controls were consistently a primary talking point, the emphasis was on how to better align business and IT goals.  Even though theoretical concepts like risk and value information technology were discussed at length, many of the presenters addressed real-world issues with respect to advancing along the compliance spectrum.

Oracle representatives Mark Sunday, CIO and SVP, and Gail Coury, VP of risk management, kicked off the festivities with a detailed and insightful keynote address that outlined the challenges of compliance amid heavy acquisition periods.  Attendees then proceeded to presentations along one of four tracks:

1. IT governance
2. IT compliance audit practices
3. Information security management
4. IT risk management and compliance

While useful information was abundant and widespread, here are some of the more interesting discussion points:

• Risk is often counter-intuitive
• Privacy regulations are here to stay…and will only become more strict
• Reputation risk is increasing for all businesses
• Financial return and value of governance is realized across silos, not from within them
• IT should be used to reduce business costs, not IT costs
• Acceptance of authority in younger generations has gone down, increasing the need for control automation
• The current economic environment emphasizes the need for controls over fraud at every level
• Business = Demand; IT = Supply
• ACCOUNTABILITY IS KEY!

If controls are the key, governance is the lock

Much discussion was held about progression beyond creating a control environment and moving towards overall governance.  With compliance budgets decreasing at a record pace, governance is the only way that auditors will be able to show value of audit activities.

Risk was the real elephant in the room.  Discussions concluded that, while we cannot fully eliminate risk in a cost effective manner, the process of implementing a monitoring or review process provides an eye opening set of data for many businesses.

Even though attendance appeared to be down, the group was very diverse and included representatives from all over the globe.  ISACA members from international companies enlightened the group with unique and challenging regional issues.

Overall, the conference delivered as promised.  It had legacy theory, risk management theory, international diversity, and real-world solutions for almost any IT compliance issue.  ISACA continues to be on the cutting edge of IT governance.

Prepare for compliance auditors: Review policies and standards

So you got the word, the compliance auditors are coming in. It’s like that big squash or tennis match. You’re feeling pretty good, and you think you’re ready. After all, you’re an IT professional, conscientious, hard-working and knowledgeable. But do you know what standard the auditors will be auditing you against? Like your opponent on the squash or tennis court, is it:

a) COBIT
b) ISACA
c) “Best practices”
d) Secret things
e) How well they like you
f) None of the above

How did you do? The correct answer, as those of you know who have the scars to prove it, is f, “none of the above.” That’s right, not even COBIT. And “F” is what you may be about to get until you know how compliance auditors operate.

They’re actually auditing you against you and your company’s own standards and policies. Yup, that’s it. No, they’re not auditing you “against” a COBIT checklist. They’re looking at your own policies and standards and comparing your actual operation to what is stated in those policies.

So, Step 1: Get ahold of those policies and standards.

Step 2: Reality check. Do they represent TODAY’s state of your IT operation? Or are they aspirational? Do they say, for example, “Terminate access rights for all users within 24 hours of employment termination?” Is that really happening, 365 days a year? How about over weekends? Do your security staffers ever have delays getting lists of terminated employees from HR? Do they ever have a gap in coverage due to an unexpected absence? How often do you run a reconciliation report of terminated employees from the last 12 months vs. active usernames? Does HR have the ability to run regular reports of transferred employees, whose access needs to be handled as if they were terminated?

All operations, no matter how large or professional, can have gaps of greater than 24 hours between terminations and access cutoff. And if your operation is NOT among the largest, with a significant access control staff, chances are good you‘ve got terminated employees with access going 48 hours to one week or longer before it’s taken care of. Here’s a secret: Everyone does. The auditors know it, if you don’t.

I’ll cover Step 3 in a future post. In the meantime, let me know in the comments if you have any questions so far.

IT compliance policies, standards and technical directives

“A day at the beach can turn into a hurricane fast.”

That’s the tagline Sarah Cortes chose for Inman TechnologyIT, her Cambridge, Massachusetts-based consultancy. What’s the context? Disaster recovery, security and preparation for IT compliance audits. I met Cortes at a meeting of the New England Tech Professionals LinkedIn group last night in Waltham, Massachusetts. She provided an overview of IT policies, standards and technical directives to a group of seasoned IT professionals before leading a discussion of how these frameworks relate to actual preparation.

Her presentation is embedded below.

I posted the following updates to @ITCompliance on Twitter while she spoke and engaged the audience.

• Cortes presenting on a true “alphabet soup” of standards/orgs: ISO/ISEC 27000, ITIL, NIST, PMBOK, TOGAF, CMMI for dev, SEI’s CMM & COBIT .
• Important note from Cortes: Many of the “standards” (like COBIT) are frameworks. Adopting them gives auditors a reference point.
• Excellent discussion here by IT pros of the difference between stating ISO/COBIT compliance & genuine quality in IT policy & processes.
• Discussion turning to ISACA technical directives & more granular IT processes & recommendations. Key reference: http://isaca.org
• Wrapping up; Cortes of Inman Tech moderated a useful discussion of compliance standards & audit concerns. http://twitpic.com/1prtm

Aside from the opportunity to meet a dozen enterprise IT professionals, the core of the SearchCompliance.com audience, I took away a number of insights that the tweets above highlight.

First, the number of standards and frameworks relevant to compliance is staggering. Compliance officers and CIOs have long since become well aware of the issue. When Cortes talked about ISO/ISEC 27000, her tongue-in-cheek comment was that 27000 referred to the number of standards it comprises.

Secondly, in Cortes’ eyes there’s a distinction between being compliant with a given framework, like COBIT or ITIL, and running a quality IT department that is prepared for a disaster and has consistently protected critical financial, health and intellectual property data. Demonstrated adherence to these frameworks, especially in documentation of internal processes and policies, will help when the compliance auditors come calling.

The latter part of the presentation ran through dozens of recommendations for given IT policies offered from the Information Systems Audit and Control Association (ISACA). As Cortes noted, the frameworks for security don’t offer specific advice for a given area. ISACA directives do. As I noted in the tweet, more information is available at http://isaca.org.

The final part of the night featured a wide-ranging discussion about life on the “front lines” of the IT department by engineers and administrators who had to mitigate data breaches, prepare for compliance audits and develop procedures to ensure compliance across multiple computing environments. Clearly, these tasks aren’t easy. If you’d like to tell us your story, please write to  editor at searchcompliance.com.

Thanks again to Cortes for allowing us to publish her presentation and to Dennis Comeau for the invitation to the meeting.