Bringing Mainframe Audit and Compliance Into the 21st Century: How to Keep the Auditor’s Teeth From Biting
Security administrators and managers remain increasingly worried about compliance. As a colleague from England said, “I have auditors on my doorstep every three weeks.” With multiple demands for similar reports, he was spending all his time preparing for audits and responding to urgent requests, with no time left for his normal work. In that situation, important issues such as overall strategy and policies, and aligning IT with the business can get crowded out by urgent, tactical ones. The “do more with less” credo isn’t working.
Today, we all face regulations and changing standards. Most companies must deal with multiple regulations simultaneously, such as the Sarbanes- Oxley Act, Healthcare Information Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS), among others. Each regulation has different reporting requirements and deadlines.
Security evolves. What used to be a solid security model is now outdated and inflexible. So how can you ensure you’re doing more with less?
Don’t Re-Create the Wheel
The best approach to compliance is to implement a comprehensive strategy that defines the appropriate way to accomplish risk management, and its implications on security and IT audit. People try to re-invent the wheel for security administration and reporting guidelines, but there are frameworks that will walk you through the process of establishing a security management architecture and implementing the required administration, reporting, and auditing systems.
For example, COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT offers a framework to create, define and implement a proper, well-organized security management system. The Information Technology Infrastructure Library (ITIL) offers documents to address all aspects of service management. The recently revised ISO17799 checklist can help you transition from scope definition, to policy definition, to implementation and to certification of a proper security management model. Once you’ve scanned ISO17799, go back and review other relevant security standards and you’ll see the parallels.
Ultimately, you’re establishing a security lifecycle for your organization. It consists of defining your requirements, the composition of a security policy on paper, followed by implementation of that policy to protect the business. Ensure that the security meets the requirements and the business is adequately protected. Conduct your audits, monitor the security controls in place, and verify these against the changing landscape. The lifecycle and process of security is the foundation of most security models.
Understand Your Current Security Status
By defining the current environment, you can discover the reality of your systems’ status. Most systems have evolved over the last 20-plus years. In the ’80s, systems were protected by hardware, and the network didn’t extend outside the building. In the ’90s, Local Area Networks (LANs) and SNA networks were prominent. Now, there’s TCP/IP access crossing firewalls with customers, employees, and partners logging in remotely using Virtual Private Networks (VPNs).
Unfortunately, security policies haven’t evolved to cope with these architectural changes. For example, a RACF database is still fundamentally the same as it was 10 years ago. So, there are items you must evaluate: