Oh no! Here comes the auditor…

Alan Foley, Presales, HP Software+Solutions explores the joys of compliance management

July 14, 2010

By Alan Foley, Presales HP Software and Solutions

Without a shadow of a doubt I think an auditor can quite easily be placed in the same category as the taxman and a traffic cop and is deemed to be ‘persona non grata’. For those that missed out on Latin at school it literally means ‘an unwelcome person’.  We don’t want any of them coming near us, let alone interacting with us.  How do we avoid the taxman? We submit our tax returns on time. How do we avoid the traffic cop? Well, we don’t exceed the speed limit. How do we avoid the auditor? Unfortunately, in the corporate world, you can’t…but you can make the experience a lot more pleasant.

Why do you think the auditor is coming around? It’s all about compliance – are you doing what has been mandated to you by business and international best practices? There are many types of compliance including processes (order processing, reporting), financial and  IT infrastructure (networks, storage, servers, clients), middleware (DB’s, AP, webs servers .NET, J2EE, SAP, applications etc), industry best practices (NSA, PCI, MSFT Security, SOX, HIPPA or methodologies like ITIL) and lastly internal policies and procedures.

How are you managing compliance in your organisation? Most organisations define compliance requirements in silo’s and checks and reports are done manually by system and process administrators. The auditor is then tasked with reviewing these reports and ensuring that all criteria were met. However, all these reports will more than likely be silo specific and will not give an overall compliance status of the business.

Another challenge that organisations face is the fact that policies change or new ones get created on a regular basis. New hardware either servers, network devices or storage are also added and knowing about these new additions and manually managing them is virtually impossible to control and report on effectively. This results in a manual compliance effort, lots of trivial boring rules, time consuming activities and human error.  With the advent of virtualisation there are many new layers and hidden relationships and with the ease of virtual infrastructure, changes happen much faster.

Some of the challenges facing software compliance management is determining what is installed where, which can be very time consuming. There are complex rules to be followed (error prone) and software is constantly being installed or removed from managed assets (servers, client workstations). A new trend that has emerged over the last year or so is increased vendor audits due to falling revenues – the industry puts these revenue losses at about 25%. The software licensing model also changes when moving from physical to virtual servers and this in itself brings software compliance and licensing management issues. The picture does not look great does it?

So what’s the solution, how can you as the company CIO address these issues? The answer: continual automated monitoring and remediation.  How would you achieve this? Let’s start by focusing on two key areas: automated IT Infrastructure configuration compliance and automated software license compliance.

Automated configuration compliance management

1. Establish and then continuously sweep for policy adherence
•    Standard configurations: internal best practices or regulatory requirements (PCI, HIPPA, SOX, etc)
•    Run regular compliance sweeps to ensure nothing has drifted from configuration standards
•    Stay up-to-date with compliance risks through a recognised compliance subscription service

2. Report across whole business service
•    Network, storage, server, middleware, applications – one view across all of these

3. Remediate
•    Tools that execute change to remediate violation (automatically or after review)
•    Runbook automation to integrate with event management and service desk change processes. It is important to integrate to ITIL process like change management, ensuring that all stakeholders are aware of the compliance issue that you are planning to remediate
•    Be aware of uncontrolled automated remediation – this may cause a degradation of service or even an outage

Automated software compliance management

1. Define a way to model your software license contracts and store them in an asset management system
2. Discover what software is in use and on what environment it is running
3. Reduce costs by reporting on software licenses you are not using or align your software licenses with your actual usage
4. Feed into an asset manager system, this will enable you to do a compliance ‘what if’ analysis on your assets

Compliance is good for business – if you are effectively and automatically enforcing compliance you are reducing risks and at the same time reducing your IT costs. This should not be a ‘once a year’ exercise when the auditor comes around, but a part of your normal IT operational procedures. If you refer to the sample screenshot below you will see an example of a ‘Business Services Compliance Dashboard’. This is exactly what CIO’s and auditors want to see. This should be available as a ‘live status’ view as well as historical trends.

Next time the auditor comes around, open your ‘Business Services Compliance Dashboard’, select the calendar period, click print, show the auditor where the printer is and go have a coffee – simple! Ah, the joys of having an automated compliance management system…