Subscribe
About

Two birds with one stone

Effective managed services embed compliance into regular maintenance activities.

Brent Flint
By Brent Flint, services executive for Dimension Data Middle East & Africa.
Johannesburg, 19 Aug 2011

It's clear that organisations are not only struggling with security and preventing direct threats to their organisation, they're also battling with the much more vague and sometimes more complex issue of compliance.

If a company can't keep track of its device configurations, or change and release management processes, where does it find the extra will, insight, and human resources to first interpret its compliance requirements, and then implement or enforce them?

IT management and compliance management are two sides of the same coin.

Brent Flint is services executive for Dimension Data Middle East and Africa.

A powerful motivation might be the realisation that proactively managing the IT infrastructure enables a company to obtain detailed knowledge of what it has in its systems, and what's working and what's not.

This automatically gives the company a much clearer idea of its compliance status. In other words, IT management and compliance management are two sides of the same coin, and should happen together in order to reduce the effort and resources needed to manage compliance, while at the same time increasing the company's levels of compliance.

For organisations that understand this, managed services become extremely attractive - because, correctly packaged, managed services offer the distinct advantage of embedding compliance in routine maintenance activities.

Value add

Traditionally, managed services are about managing network operations and availability. Organisations must work with a trusted service provider to add a layer of due diligence and compliance that includes, for instance, configuration management as a discipline that is measured against stringent service level agreements.

Organisations must also ensure they are provided with reports on infrastructure management activities, which are focused on identifying which network devices are up or down.

This is not a return on investment discussion, but a discussion about the total cost of operating IT infrastructure. Why have one set of people and tools to perform a company's infrastructure management, another to do security management, and a third to look after compliance management?

Best intent

Perhaps more than the need to save money, time, and resources on managing compliance, organisations are driven to managed services in large measure because no other part of the IT infrastructure is officially policed in the way that compliance is.

Interpretation of compliance requirements can be as difficult for the auditors as it is for the IT department. When they've found something that is clearly not compliant, it's just that much easier to stay with it than move on to more vague areas. In that context, IT and audit should work together on managing the organisation's risk.

While compliance needs to be coherently applied, it is usually about making incremental rather than holistic changes. Sometimes the fix needed is one change to a process or documentation. Sometimes all that is needed are additional authorisation levels. Occasionally, it's necessary to buy a piece of additional or new technology, and very often, compliance best intent and best practice are optimally served by changing nothing.

If IT and audit focus jointly on what option is best for the organisation, the process of arriving at those decisions can be significantly shortened, money can be saved, and business performance improved.

Just as importantly, a joint proactive focus prevents kneejerk responses to discoveries of non-compliance that more often than not result in expensive ad hoc repairs by external suppliers.

Getting IT and audit to work together is easier said than done, but a managed service that includes compliance management oils the wheels - because the managed services provider automatically generates regular, comprehensive reports that proactively identify the issues.

So, everyone involved is always abreast of events. Managed services providers are also best placed, because of years of best-practice experience across multiple industries, to interpret compliance requirements in ways that are most relevant to the organisation's particular technology set-up.

Most client organisations simply don't have the resources or tools in-house to do this.

Getting ahead of the problems

Organisations must work with trusted IT services partners to identify a potential problem for them. There is no point in knowing about a problem they cannot fix. Organisations need a combined monitoring and maintenance service that will be proactive in terms of ensuring that network configuration is continuously updated according to both compliance and best practice - to minimise the risk of being attacked.

Organisations need to work with the right partners and use the correct tools to find out exactly what their security posture is and the state of health of their infrastructure. They will be able to know who logged on to what device, what they did to the device, and whether or not best practice was contravened. If something is implemented that doesn't match compliance needs, they receive an alert - enabling them to pre-empt problems.

Financial institutions may also opt to use tools that monitor and manage their configuration changes to security devices, and correlate and reconcile what was done to which devices, when. The report is automatically provided to the organisation's change advisory board and their audit departments.

Correlation and reconciliation are key. Compliance isn't just about performing a series of tasks - it's about making sense of the impact that doing these things will have on the business. Using a managed service is one of the most cost-effective ways of doing this.

Share