Compliance requirements can be complex and confusing for IT staff
As if IT staff didn’t have enough to worry about. They also have to ensure that they adhere to an abundant, confusing and ever changing array of industry and regional compliance requirements. An increasingly difficult task in today’s decentralized, multi-platform and mobile world with an ever faster software delivery mandate.
Data and applications have become a pervasive component of modern business and these have become a subject of new and diverse compliance requirements. Failure to comply could mean fines, penalties, loss of trust, even imprisonment. At the same time applications themselves have become more complex which increases the chances of ‘dropping the ball’ when it comes to compliance.
It takes 20 years to build a reputation and five minutes to ruin it! If you think about that, you`ll do things differently
For IT staff, understanding compliance requirements can be difficult and frustrating. IT staff generally are not experts in law and lawyers who are involved in writing the requirements are not experts in IT. The language which described compliance requirements is therefore difficult to align with specific IT requirements.
This problem is compounded by the growing number and diversity of requirements which span different industry sectors and geographical regions. These requirements are constantly evolving. Where businesses operate internationally they will likely be subjected to different compliance requirements concurrently.
|Global||Basel, COBIT, COSO, ISO 19779/27001, ITIL, PCI DSS|
|North America||CMMI, GLBA, HIPPA, PIPEDA, SOX|
|Europe||BDSG, Directive 2006/24/EC, Directive 95/46/EC, Data Protection Act-Swiss, Data Protection Act-UK, Euro-SOX, General Data Protection Regulation (GDPR), VDS|
|Asia-Pacific||APP, APRA, CLERP 9, JPIPA, J-SOX, RTI|
|Latin America||Azeredo, Bill 6891/02, Ley Federal de Protección de Datos Personales en Posesión de los Particulares|
DevOps is breaking down the traditional silos of Development, QA and Operations. This is leading to a concern that a ‘wild west’ ecosystem will emerge where everyone has access to all production applications and sensitive data.
All modern business stores and processes data. Much of the stored data is about customers and suppliers and this is sensitive. Most compliance requirements relate to the protection of sensitive data and the safeguards around the changes to software which manipulate that data, this puts IT staff centre stage for compliance accountability.
IT staff are centre stage for compliance accountability
Best practices plus automation are making compliance easier for IT staff
Compliance best practices are emerging for IT. These consolidate multiple overlapping compliance requirements into a single set of requirements which are easier for IT staff to follow. It doesn’t matter if we have to comply with SOX, HIPPA, GDPR or other because of the high level of overlap. The geography and industry sector may vary but the best practices remain the same.
|Auditing||It must be possible to audit IT staff activities. It must also be possible to audit existing software applications for quality and impact of changes.|
|Authentication||Individual members of IT staff must be uniquely and reliably identified. Unauthorized access must be prevented. IT staff must not have more authority than they need. IT staff must have clear roles so that it is easy to expose abuse cases.|
|Availability||Application availability must be maximized. Most downtime is caused by application failures rather than equipment failure or disaster. Poor code quality and poor testing have been identified as the lead causes of application failures and security breaches.|
|Change Management||Application changes must be carefully managed because they can introduce risks. Fraud generally comes from disgruntled employees. IT staff must be held accountable for changes made to software applications. Applications must be protected from accidental or malicious changes by IT staff.|
|Confidentiality||Confidential information cannot be exposed to unauthorized IT staff.|
|Integrity||Evidence must be provided to show that sensitive production data has not been accidentally or maliciously modified by IT staff.|
|Logging||Any IT action which might need to be audited must be logged. The logs must resist tampering.|
Arcad tools span the full scope of IT staff activities and have been built from the start to be compliance ready. Arcad tools automate the compliance process by design. Automation is the key to simplifying compliance for IT staff. Arcad tools have been designed to enable IT staff to go about their business unhindered and keep them compliant automatically.
Arcad tools have been designed to enable IT staff to go about their business unhindered and keep them compliant automatically