Compliance Audits: An Introduction

Governance strategies for Security and Operations to reduce risk and ensure compliance

As the digital economy continues to explode and puts more pressure on enterprises for ensuring security and compliance, the challenges for meeting these requirements become even greater. With the growing amount of digital activity, it’s more critical than ever to have a clear audit trail and action plan to address compliance requirements with automation that integrates best-practice processes to ensure security and compliance.

Compliance has been viewed in the past as mainly an administrative burden, however the world is changing. The risk of high-profile consequences from incomplete or insufficient attention to vulnerabilities or compliance failures continues to increase. Operations teams must maintain optimal configurations in their organization’s infrastructure (including physical and cloud-based servers). At the same time, the Security team responsible for auditing and reporting on compliance with corporate or regulatory mandates needs to meet organizational and legal requirements. Both teams have to achieve these objectives, even with the increased pressure on budgets, fewer resources, and more frequent audits.

By taking a strategic approach to addressing security and compliance objectives, you can reduce the window of vulnerability, speed remediation, and reduce the time and effort required to keep an organization continuously compliant by managing by policy and not just by alerts. This strategic approach impacts IT configurations, including ongoing security scanning, regular compliance audits, and relevant processes such as change management.

Fast track security with TrueSight Vulnerability Management for Third-Party Applications


Explore TrueSight Vulnerability Management for Third-Party Applications ›
See how you can accelerate vulnerability resolution, lower costs of remediation and avoid major security incidents.

What are the key compliance standards?

There are different types of audits that your organization may need to comply with based on your industry and geographic region. IT compliance typically relates to standards that may be internal or external. Examples of internal standards include operational or build standards requiring certain configurations, or the latest security patches. External compliance standards might include both best practices and security practice requirements imposed by industry or government bodies, such as Payment Card Industry Data Security Standard (PCI DSS) for retailers, Sarbanes Oxley (SOX) for publically traded companies, or Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) standard for U.S. federal contractors and agencies.

Some of the other additional external compliance standards include HIPAA (http://www.hhs.gov/hipaa/index.html), Center for Internet Security (CIS), DISA security policies, ISO standards, and FISMA.

What’s enterprise governance?

Enterprise governance supports systematic business change by aligning security and technology investments and projects with business needs. It provides the overarching structure to ensure that the technology is delivered effectively to reduce risk, conduct audits, ensure compliance, protect assets, and continuously align security and technology with business needs.

What’s the cost of failing to meet compliance requirements?

Organizations that cannot meet compliance requirements and fail to fully integrate the objectives of security operations teams spend too much time, energy, and money on reporting. More importantly, if they don’t continually scan for security and compliance issues and automate the process of correcting them, they will eventually suffer security breaches and find themselves in a very difficult situation. Negative consequences of a breach may include:

Both the possibility of a breach and its impact can be substantially reduced with a strategic approach to automation that brings the Security and Operations teams together to streamline communication for a better hand-off between these teams and a more effective outcome.

What are the challenges related to audits and remediation in the digital economy?

The demands of the digital economy drive so much high-speed activity with higher transaction levels and interactions that can open up an enterprise to more vulnerabilities. The complexity of the digital economy is exacerbated by an increase in cloud-based apps, virtualized data centers, and the growth of BYOD (bring your own device) to work.

There’s often a lag between the time an audit is completed and the corrective action is taken because these efforts are done by two different teams with competing priorities. Historically, configuration compliance has been a two-step process. First, an audit compares the current state of IT systems to the appropriate policies, standards, and legal requirements on a regular basis. Second, the remediation process documents and corrects discrepancies between the desired configuration standard and the live configuration to bring the actual state in line with the desired state.

An audit report that lists security risks or discrepancies in configurations has some value, but it does not provide actual compliance. Today, this process is generally disconnected, with one team defining or adopting a certain standard and performing audits against that standard. However, the auditing team usually does not have access to correct any issues that have been identified, so they must send a list of those issues to the IT operations team for action.

Finally, it’s easy to overlook something in an emergency, but when you plan ahead and include continuous automated discovery, you can achieve comprehensive coverage for your security and compliance efforts. Automated vigilant compliance makes both audit and remediation routine, ongoing activities – not emergencies.

How can automation ensure vigilant compliance and governance?

Vigilant compliance is based on managing by policy, and not just by an alert. It means that organizations need to assess their risks, streamline their processes, monitor security, and do closed-loop remediation. It’s based on a holistic approach to governance that integrates and automates phases that include: discovery, definition, audit and remediation.

A governance policy is composed of these four areas and should leverage automation help to ensure vigilant compliance:

By coordinating with the change management process, teams can enforce change windows and avoid collisions or unplanned outages. Compliance may not necessarily require a configuration to be changed, and security requirements may be satisfied in other ways. But, it is important to document and track the exceptions. If exceptions to standard compliance practice are not organized and formalized in this way, the risk is that “almost compliant” becomes the new standard, since they can generate large numbers of false-positive alerts or worse, cause the organization to fail an audit.