1 / 9

The advantages and limits of compliance automation - what works, what doesn't and why?

The advantages and limits of compliance automation - what works, what doesn't and why?. Eoin Fleming. The Problem. There are an estimated 20,000 regulatory instruments and laws worldwide that affect Information Technology

teryl
Download Presentation

The advantages and limits of compliance automation - what works, what doesn't and why?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The advantages and limits of compliance automation - what works, what doesn't and why? Eoin Fleming

  2. The Problem • There are an estimated 20,000 regulatory instruments and laws worldwide that affect Information Technology • Every year there are new and more onerous audit requirements being placed on Businesses – newest being EuroSoX, E-Discovery • As the size and frequency of audits go up – costs go up, impact on staff goes up (both on IT staff AND business staff) • At the point now that audit and compliance are impacting on business flexability and competitive edge. • Audit is too freqent, too expensive and too demanding for organisations to keep up – and its getting worse. HP Confidential

  3. What can be done? Audit has traditionally been a highly manual process Typical audit process. Start Here HP Confidential

  4. What can be done? – Graph shows typical compliance “rollercoaster” here measuring inactive users for SOX Audit is a wasteful process because it’s a series of “once off’s”, after the audit everyone relaxes and things go back to the way they were – human nature. Audit Audit HP Confidential

  5. What’s the ideal? Auditor self service and continuous compliance monitoring How to achieve? Automate as far as possible the key security and compliance indicators that auditors always look at Give the internal auditors access to the monitoring tools NOT JUST WHEN THEY ARE CONDUCTING AUDIT BUT ALL THE TIME Give external auditors access to the same tooling – less disruptive as otherwise you have to install/de-install theirs. HP Confidential

  6. What the ideal process looks like- No audits other than statutary HP Confidential

  7. Trade off’s HP Confidential

  8. What automates well – what doesn’tGreen=good, Red=poor Staff training ie CBT PUA/UAM enforcement and reporting Security Incident Management Compliance and regulatory reporting to ISO and ITGC’s Metrics KPI/KRI’s Antispam/antiviirus Centralised Log management and reporting Active Security Response capability IPS Vulnerability Scanning Security Configuration mapping penetration testing Control Self Assessment System “hardening” Operational Risk Management HP Confidential

  9. What should not be automated (yet) • Business risk management – operational risk automates well but impact judgement has to be manual • Penetration testing (if done) automated approaches are not up to the job yet • When considering this approach involve your internal and external audit teams from the start – they are facing the same challenges and their agreement is critical to the success of the process. HP Confidential

More Related