3 ways IT leaders can strengthen compliance and control

keithmacbeath.jpgBy Keith Macbeath

 

(Keith Macbeath is a senior principal consultant with HP Software Professional Services)

 

These days as I talk to customers and industry experts, I’m seeing a lot to suggest that compliance is becoming a bigger issue for IT.

 

Just a few months ago, the SEC announced that it was going to ask companies to report on cybersecurity and information risk in their filings. While there’s some discussion of how this will be received, I think it’s clear that we’re seeing the temperature rise on compliance.

 

Compliance puts the focus on IT as an audit issue. We saw this with Sarbanes-Oxley, and it just keeps growing. Since many controls are dependent on IT systems, if the control in IT is weak, the whole system is compromised.

 

So how do you strengthen your compliance and control?

 

Standardize and automate the processes managing IT

Control is all about process. But if you look at IT relative to other functions in the organization, IT is out of control. In many ways, IT is still a cottage industry. By that I mean that when something needs to get done in IT it often starts with a manual process and an order sheet. A lot of what is done in IT is artisanal, handmade work.

 

And this makes auditors very uncomfortable.

 

We’re reaching a point at which artisanal IT is giving way to the Industrial Revolution. Organizations are standardizing and automating IT because that delivers lower cost and faster time to market. The other benefit of these trends is increased control. With standardization and automation you’re now at a point where you can look at the quality of the processes managing your IT.

 

Get to know COBIT

As compliance becomes more of an issue for IT, we’ll see more of COBIT – a standard that has come out of the audit community.

 

COBIT previously used to define maturity levels in a way similar to other standards like CMMI. But with COBIT 5, which is now in pre-release for feedback, the organization responsible for COBIT is defining levels in a way that is much more compliance oriented. With COBIT 5 you’ll go through strict binary audits, process by process, and something will either be in control or not. Preliminary testing suggests that it’s quite difficult to get to a process that would satisfy an auditor as being in control.

 

What’s going to happen, I believe is that a lot of organizations will have to take a hard look at the state of their compliance.

 

Now many industries, such as banking, are already familiar with COBIT. I know one bank that runs everything in IT against COBIT controls and has a rolling audit process internally. But for others, it’s going to be a journey to a control mentality.

 

Change your mindset to include control

Beyond embracing COBIT, there are other things organizations can do to improve control and compliance in their organization.

 

For instance, HP’s Executive Scorecard is all about better visibility and control. It provides executive-level metrics that actually track whether a process is within established tolerances or outside. It features exception-based management, which is also very much a control notion.

 

You’ll want to use business service management tools and software like HP Quality Center to get metrics around your IT performance. And you’ll want to strengthen your IT governance.

 

Making these changes now will go a long way toward positioning your organization for the new shifts in compliance.

 

Related links:

 

 

Labels: compliance
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
This account is for guest bloggers. The blog post will identify the blogger.
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.