One of the big issues facing companies these days is compliance – Sarbanes-Oxley, GLBA, PCI, and there will undoubtedly be more in the coming years. As a result, vendors are pushing all sorts of products that purport to help solve the compliance problem. However, compliance is not a technology problem – it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations.
Business processes tie together the people and technology that comprise a company’s operational environment. Roughly equivalent in function to ligaments and tendons in physical performance, poor business processes weaken a company’s fiscal performance. An ineffective sales tracking system, for example, will cause major problems in terms of production schedules, order fulfillment, and customer satisfaction. On the regulatory side, such an ineffective system will negatively impact a Sarbanes-Oxley (SOX) audit, since control of both quotes and orders is necessary to know and validate a company’s financial standing.
Consistent, repeatable processes should be the goal of every company to ensure sustainability. They are also the cornerstone of many different compliance frameworks, including: SOX, the Payment Card Industry (PCI), ISO 17799/27001, Common Criteria (ISO/IEC 15408), and GLBA; not to mention other local and international standards. I’ve outlined three steps below for designing business processes that, when well executed, will not only improve a company’s operations, but will also ease the workload related to proving compliance. Those steps are:
Separation of duties: Create a simple system of checks and balances, for example by investing expenditure approval authority and check writing authority in two different entities or individuals. A basic principle set out famously in the US Constitution, this is simple and reduces the opportunity for embezzlement, for inappropriate procurement awards, and even for stock manipulation. In a high-risk environment, a company may rotate duties to prevent collusion. For instance, the Federal Reserve Board requires authorization by individuals from at least three different groups to move gold from one vault to another; designated representatives from each of these groups are rotated regularly as well.
Need to know: Limit access to critical information to those few people who have a true need to know. Establish a process for regular review of these access lists. Quarterly or semi-annual review is fairly standard for sensitive applications, augmented by additional reviews triggered when an employee changes job roles to ensure that privileges are not kept by default beyond their relevance to actual job requirements. In the case of access to all corporate financials, a few key executives and auditors should be sufficient.
Regardless of the mandates of PCI, the most prudent course is to encrypt the numbers for all credit card information that is handled and to minimize the number of people who have the ability to decrypt the data. People who don’t have access to data can neither lose nor steal it. Scrutinize the use of credit card information to verify consistency with company privacy and confidentiality policies. Never use real credit card data for test systems. Monitoring tools can also help identify vulnerabilities in this access control system. This general principle aligns with auditing requirements for both SOX and PCI compliance.
Change management: Establish the framework for change – and, ironically, business continuity – by fully describing the system that exists. Often perceived as tedious, with burdensome documentation requirements, change management is a key control mechanism for managing and securing financial systems. Auditors appreciate the value of solid change management practices; companies should appreciate spending less time and money on audits.An effective change management process is methodical and simple. Document all system configurations or implement an automated tool to discover system configurations and record them by date. Detail the steps required for user moves, adds, and changes, and establish an audit trail. Record proactive security events, such as patch applications and anti-virus (AV) updates. Assign to each process business owners who are responsible for maintaining and documenting the process. Record all changes manually or automatically. When anomalies are observed or something “breaks,” consult the change log for clues about the likely origin for the malfunction. The documentation serves the additional purposes of increasing uptime, improving reliability, and speeding mean time to recovery. It forms the basis for a business systems resiliency or disaster recovery plan, especially when enhanced by including key contact and license/registration information.
For multi-owner processes, assign responsibility for prioritizing and approving changes to a change management committee or board. This board, especially on the applications side, should have the ability to understand the dynamics of conflicting business requirements (internal and external), regulatory requirements (external), and the risk potential inherent in changes requested from different groups. A review board with a holistic view of the system for which change is contemplated will be able to identify hazards, negotiate details, and explain and “market” prioritizations to their individual work groups.
If a business process needs to be changed, change it. I have laid out three key elements to consider when designing a business process or when revamping a business process in response to new or existing compliance, security, or environmental needs. Those elements are separation of duties, need to know, and change management. The benefits are lower cost and more reliable operations, less time and money spent on audits, and greater peace of mind for the organization.Business drives changes in process. Technology may enable – or inhibit – change, but it does not drive change. Consistent communications must exist, however, between functional areas (e.g., information technology) and lines of business (e.g., product engineering or consumer loans). Such communication facilitates incremental adjustments in technology deployment that must be recorded in system configuration documents, process updates, and business continuity plans. The continuous realignment of IT and business practice is comparable to the quality movements in manufacturing processes.
Technology reinforces and supports changes in process. Tools should not determine the nature of change, nor how change is implemented. Leverage the existing change management process to communicate change and incorporate it in semi-annual reviews. Information product flow can and should be mapped to identify areas that need attention to minimize the gap between business needs and new process implementation and acceptance.
Mitigate risk with technology. Encourage the flow of communication between business units and IT staff so that compliance risks are understood by all. Mitigate the consequences of taking informed risks for business benefit through the judicious application of technology.
David Mortman is the CSO-in-Residence for Echelon One, LLC, where he is responsible for managing their research and analysis program. Previously, he was the CISO for Siebel Systems. David speaks regularly at RSA, Blackhat and Defcon amongst others and publishes the occasional op-ed in Information Security magazine.