IT policy compliance is more important than ever as the vast majority of business and government today is done with IT. Businesses use e-commerce sites to take orders from customers online, and brick-and-mortar businesses use software for back-office accounting and order management. This use of IT brings operational risks that can have widespread negative impact, and that’s what captures the attention of policy makers to create laws to protect company and customer data.

IT policy compliance is the implementation and management of information technology in accordance with accepted standards. Using the right approach can help a company manage its IT policy compliance in order to reduce operational risks and protect valuable data. This article provides 10 steps to help organizations prepare for compliance and the auditors who work hard to find things their organization forgot to do.

#1. Remember that IT compliance is about people, processes and technology
Many companies put too much emphasis on the technology and end up failing audits due to their lack of attention on people and processes. While IT makes this compliance ecosystem more complicated, using the right approach can help a company to automate its controls and controls monitoring.

#2. Understand the Importance of IT in policy compliance
Compliance is about conformity with accepted standards. Usually, this means obeying laws and regulations that apply to your business. IT is so important in policy compliance because of the crucial part it plays in the operation of modern businesses, and compliance often relates to the way your organization uses IT. IT compliance is the implementation and management of IT in accordance with accepted standards. This includes technical standards, and how people use that technology in the course of business operations.

3. Determine the Relevant Laws and Regulations
Laws and regulations articulate the ‘policies’ governing their requirements. Examples include the Sarbanes–Oxley Act (SOX) to regulate financial reporting, the Gramm–Leach–Bliley Act (GLBA) to regulate non-public personal information (including financial data), the Health Insurance Portability and Accountability Act (HIPAA) to regulate protected health information processed by health care organizations, and many others. You can’t begin the process of policy compliance without knowing which laws and regulations apply to your company.

#4. Ascertain What Controls Apply to the Laws and Regulations
Controls are the technical and process-oriented means to comply with policy. Controls are specified by various government and industry standards, such as Control Objectives for Information and Related IT (COBIT), National Institute of Standards and Technology (NIST), International Standards Organization (ISO), and the Payment Card Industry Data Security Standard (PCI DSS). As with laws and regulations, compliance requires that you determine which controls apply to your organization. Auditors rely heavily on these controls, which are standard procedures for IT policy compliance.

#5. Align IT Policy Compliance and Security with the Business
Aligning compliance with business entails understanding your organization’s culture. Is it highly process-driven, or does it have more of an ad-hoc, chaotic way of doing things? If it’s the former, issuing detailed policies may be adequate for ensuring compliance. But if it’s the latter case (a common situation!), you need controls that are preventative and detective in nature. Your controls should address the specific business risks related to policy. Executives buy in more when you can speak their language of business. Doing this also helps auditors to understand the reasons why your organization deployed particular controls, or perhaps decided to accept certain levels of risk.

#6. Understand Your IT Environment
Your IT environment directly affects the design of your policy compliance program. The two common types of environments are:

• A homogeneous environment, which is largely consistent, with IT deployments consisting of standardized vendors, models, and configurations.
• A heterogeneous environment, which uses a broad range of technologies, versions, and even different compliance and security applications.

In general, the cost of compliance is less expensive for homogenous environments. Fewer technology types, fewer technology vendors, and fewer technology versions translate to fewer policies and less complexity. This results in a lower cost of compliance and security per system because individual processes impact greater percentages of the IT volume.

Take extra care to ensure policies adequately address new technologies, such as cloud computing and virtualization. Cloud computing, in particular, requires policies with a higher emphasis on administrative controls and slightly less on technical security controls, because you’re delegating management of the hosting and network systems.

#7. Establish Accountability
IT policy compliance programs don’t work without accountability. Accountability involves the definition of organizational roles and responsibilities – which set out what assets an individual is responsible for protecting and who has authority to make decisions.

Accountability starts at the top with executives; you stand a better chance of their active involvement by casting IT policy compliance in terms of business risks rather than technology.

As for the IT department, they have two main roles:

• As data/system owners - The owner is a member of the management team who is responsible for how data is used and its ultimate care, and is accountable for managing and protecting the information.
• As data/system custodians - Specific custodial roles may include system administrator, security analyst, internal audit, legal counsel, and so on. Policies are especially important for these roles. Auditors carefully verify the execution of compliance activity in conjunction with authorized roles and designated accountability.

#8. Prioritize Remediation of Vulnerabilities and Audit Issues
Remediation is a critical activity that must be planned and executed in a manner that is logical, repeatable, and defendable to auditors. Start with the business-critical risks and exposures; address all previous audit findings; look for any instance where one fix can address multiple control weaknesses or findings; and go after the low-hanging fruit first!

Remediation should leverage a risk-oriented approach based on a solid understanding of business process and the technical environment. Aim to associate the prioritization value of an asset by its physical cost and by its role in accomplishing a business goal. By doing so, your compliance program can better ensure that the most critical deficiencies and exposures that could impact the business are addressed first.

#9. Use Automation for IT Policy Compliance
Your IT assets are continuously evolving and growing in number. For internal auditors to review more than a small sampling of user accounts or system configuration settings on a periodic basis is practically impossible. Automation is the only reasonable way to assure that you evaluate an adequate number of systems on a regular basis.

Automation enables auditors to verify compliance better because it automates the testing of all steps and all controls – without human subjectivity, bias, or error from the data collection and analysis. Automation does this by applying previously-defined policies and templates across numerous machines. It also reduces the number of people that you need to assign to the process, saving money, and speeds analysis with instant reporting, which accelerates spotting and remediating issues. Data collected by automated IT policy compliance can also help an organization improve business processes. IT policy compliance automation with a solution like QualysGuard Policy Compliance enables your organization to get more coverage and more precision for less money.

#10. Monitor Your IT Policy Compliance Program Regularly
We conclude this chapter and book* by re-stating the Big Picture: Regularly check the “sanity” of your IT policy compliance program to make sure that controls are appropriate and risk based. They must make financial sense to the business. Establish your justifications before auditors arrive, and don’t be afraid to share the business context with them should questions arise about a particular control. The presence of your automated IT policy compliance controls with well reasoned business context for each one will help ensure that your company passes the audit – and viably enforce IT policy compliance throughout the organization.

*The above tips are excerpted from the book “IT Policy Compliance for Dummies,” by the authors. To download a free copy of the entire book, visit this link [qualys.com].