Sep 18 ’11
The On-Ramp to the Compliance Superhighway
Corporate IT organizations and mainframe security professionals face the challenges of minimizing costs, maintaining compliance with industry and government regulations, addressing increased workloads, and adapting to decreasing mainframe skillsets as “baby boomers” start to retire in significant numbers. Fortunately, technology is being developed to make products easier to learn and use; it’s also facilitating knowledge transfer from first-generation users to next-generation users. This technology needs to address daily tasks, but the job isn’t just about routine, daily duties such as assimilating new employees. The solution must cover the entire role.
Increasingly, more time is being devoted to compliance-related demands. Compliance isn’t just a one-time effort. Years ago, many companies started with annual audits. In one case, Betty, a junior staff member who had excellent IT skills, became aware of the annual audit and the window of opportunity it presented. Just prior to the audit, she worked on a system to take advantage of odd cents in transactions, funneling them to her private account. After 11 months, Betty left the company with a tidy sum. She had removed the code and every trace of her presence. The next audit revealed some irregularities, but even though some suspected her, they couldn’t prove anything. Their faith in the annual audit as the sole compliance event was diminished.
Other companies experienced similar stories, from hijacked customer lists to sensitive customer data ending up outside the organization and numerous other data exposures. As companies moved online, they saw their exposure increasing. It naturally followed that they began to realize the true cost of non-compliance (e.g., lost customers, lawsuits, fines, and growing internal risks ). The only solution was continuous monitoring of sensitive data on every system, which has now become an ongoing practice of reviewing, modifying, and establishing new processes and controls.
Similarly, it’s an ongoing requirement to demonstrate that current processes and controls aren’t circumvented. Compliance is maturing into continual process improvement and continuous audit. Organizations must ensure they’re doing the right things for compliance and doing them effectively and efficiently, according to rules, regulations, and auditors. They also need to be on top of new regulations and new forms of breach and adapt their systems to handle them. The innovation of hackers keeps those responsible for this part of the business constantly on their toes.
Another problem is that the flood of new and expanded industry and government regulatory mandates has also created an overlap in priorities and responsibilities for the enterprise compliance and security groups, prompting them to investigate ways that technology can infuse efficiencies. Because mainframes remain an integral part of the data center, the need for streamlined security compliance management extends to that environment. However, organizations struggle to develop the appropriate tools and processes to lighten the load, which has created excessive redundancies and repetition of manual effort. Chief security officers and compliance officers have different, but complementary, responsibilities. Companies desiring to succeed in locking down their security need to create a new organization, replacing overlapping security and compliance groups and integrating their functionality. Two organizations doing the same work represent an opportunity to save work, time, money and resources. An alternative to an organizational transformation is to better understand modern requirements, then clarify the roles to eliminate duplication. But the status quo simply isn’t effective.
For today’s CIO, it’s imperative to be a customer-centric business leader focused on delivering the right IT services to drive growth, while managing cost and quality and ensuring secure customer access. While there are many competing priorities, this imperative involves driving two strategies concurrently:
- Setting the right course based on the overall business strategy and aligning IT services to the needs of the business
- Providing secure access and delivering high-quality services in the most cost-efficient ways possible—not compromising the business, but enabling it.
The second key initiative involves combating threats and managing user identities and access. It includes delivering the policies needed to support security and compliance programs and meeting many corporate and legal mandates. An integrated, automated approach is what’s needed—one that simplifies management of the technical complexity and unifies people, processes, and technology in pursuit of driving more value by becoming more customer- and business-centric.
Highlighting the challenge of managing security and compliance is the case of large company mergers, which bring together disparate security systems that require additional management effort or conversion. Even more challenging is the frequent need to streamline the organization, which often results in layoffs. For some companies, managing the small number of new hires (and new fires) is already a challenge. Ensuring that all access is either granted quickly or revoked during and after a merger can often expose limitations in systems. Automation can make a huge difference here.
One company was quite good at removing system access quickly, but this wasn’t integrated with telephone access. Personnel who had been in a trust position would still be able to get information that might be broadcast; this isn’t an exposure you can afford. Disgruntled employees who still find that some access points are open to them, or who have created “back doors” into your system, are a clear threat. Loyalty is abandoned when an employee hits the street involuntarily; you need a system that ensures all access is cut off. Joe, a security administrator, knew exactly where the holes were, but given the frequent rounds of layoffs, he didn’t share this information with his compliance officer or the auditors. When the day came that he was asked to leave (not for cause), he promptly turned around and placed confidential employee and customer information on the Web, exposing the company to serious risk and harm. Yet no one could prove it was him. And that isn’t even the worst exposure.
Pete was even angrier than Joe and his expertise in systems management allowed him to introduce data corruption into the system. Even detecting that can take time; when this happened, some people found their accounts were empty while others were given an inappropriate payment. Problem remediation isn’t trivial; you will end up with claims from trusted vendors, business partners, and customers.
Notifying customers and complying with regulations after the fact isn’t free. They will probably cease doing business with you and tell their friends. The insurance of getting compliance right is worth the cost. The bottom line is that “you can pay for it now or pay for it later, but later costs more.”
Moving from a reactive to a proactive posture that’s characterized by automated, repeatable processes for security and compliance management is the key to reducing the total cost and complexity of compliance. A comprehensive solution is needed so you can demonstrate effective, continuous mainframe security compliance management and position yourself for future growth and additional advantages.
Streamlining and automating mainframe security management with one solution can help simplify compliance by:
- Performing automated checks in advance of auditing
- Validating security system integrity and effectiveness
- Taking corrective actions to safeguard business information
- Generating reports regularly
- Monitoring and alerting on actions and access
- Continually refining policies
- Minimizing human intervention in routine maintenance
- Reviewing and analyzing history, performance, and events.
To achieve this, you must go beyond the minimum requirements of regulatory compliance and turn your attention to an organizational governance strategy that affords higher levels of assurance. Such a comprehensive approach helps you demonstrate effective mainframe security compliance management, while positioning yourself for future growth and additional advantages such as risk reduction, forensic trending and analysis, streamlined, continuous compliance efforts, and enhanced operational efficiencies.