Compliance by Design

Compliance by Design: IT controls that work

Copyright Date: 2011
Published by: IT Governance Publishing
Pages: 230
  • Cite this Item
  • Book Info
    Compliance by Design
    Book Description:

    In Compliance by Design, Chong Ee will show you how your organisation can benefit from becoming compliant with the relevant national and international standards. You will discover how integrating controls into your processes will improve your security, increase your productivity, save you time and money, and increase your profits.Drawing on personal experience and using up-to-date, practical examples, the book considers the elements and principles of controls, and offers strategies to put them in place. It will show you how to establish a system of controls that is right for your business and how to integrate them into your everyday processes. You will achieve the synergy that can be gained from interconnected processes, as you assess your priorities, handle conflicting objectives and implement positive changes.

    eISBN: 978-1-84928-296-3
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
    (pp. 5-5)
    (pp. 6-6)
    (pp. 7-7)
  5. Table of Contents
    (pp. 8-12)
    (pp. 13-21)

    For all the differences in opinion surrounding its implementation, one thing the Sarbanes-Oxley Act of 2002 (SOX) did was demystify the language of internal controls. What was once seen as the domain of audit, security and compliance personnel became common currency, whether amongst system developers and administrators, or management and reporting staff. When engaged in efforts to build or sustain controls however, it can be easy to become entangled in control-speak – manual versus automated controls, or those that comply with the recent Model Audit Rule (MAR), or the updated Payment Card Industry Data Security Standard (PCI DSS) – rather than uncovering...

  7. Part I: Elements
      (pp. 23-31)

      “Too many cooks spoil the broth”? This notwithstanding, it is remarkable that there are not more errors made in an increasingly distributed, outsourced and virtualized world.

      Consider the lifecycle of a problem ticket for an application bug (see Figure 5).

      Potential errors that can arise with managing the ticket:

      Multiple tickets are created for the same issue

      The support personnel fails to escalate the ticket in a timely manner

      The analyst assigns the ticket to a developer in the wrong group

      The tester tests the bug and logs the status in a separate test management tool

      The release manager releases...

      (pp. 32-41)

      Remember John Mc Enroe’s infamous outburst in his Wimbledon match against Tom Gullickson in 1981? When it comes to articulating data in the context of controls, we have grown just as accustomed with unequivocal stances:

      Data with no financial reporting impact is not in scope

      Servers processing credit card transactions are secured on a separate network segment

      Dedicated databases house patient health information.

      Lines are drawn, sharp and swift, to contain scope: what the data is, where it is located and which regulation applies (See Table 1).

      Even though the former can be characterized as a raw input and the...

      (pp. 42-51)

      Early on inAlice in Wonderland, the protagonist finds herself trapped in a hallway of locked doors⁴. She chances upon a tiny key that unlocks a little door behind a low curtain.

      In reality, we have learned to live with multiple keys. We log into our enterprise networks with our domain accounts, our applications or systems, with our assigned application or system accounts. We sometimes forget which key unlocks which door; a frantic call to help desk ensues. To complicate matters, each key expires at a different interval, each its own clock ticking away in the rabbit’s waistcoat pocket.


      (pp. 52-60)

      Imagine walking into a car dealership and asking for the latest model, albeit one with three inches more leg room, additional trunk release lever and complete rearrangement of dashboard controls to your liking.

      When it comes to flexibility, most of us think about:




      Complexity conjures up different images:




      It may appear counterintuitive, but when it comes to systems, tradeoffs between flexibility and complexity happen all the time.

      Predefined templates for adding vendors or commission plans, for instance, facilitate the ease of adding or making changes to existing standing data, but can add to ongoing...

      (pp. 61-69)

      The story of the blind men and the elephant has various tellings. In one version, blind men of the capital were asked by a king what an elephant looked like. The one who felt its trunk thought it was a tree branch; the one who felt its tail believed it to be a rope; the one who felt its ear said it was a fan. Their disagreement came to blows.

      In covering the various control elements – People, Data, Objectives and Systems – thus far, what we’ve accomplished so far is not unlike grasping a different part of the elephant each time....

      (pp. 70-77)

      Some folks think of auditors as insurance agents or soothsayers. Where one may see opportunities waiting in the wing, they are more likely to discern lurking dangers behind sharp corners. But this is where the similarity ends. Insurance agents transfer risk from the insured to the insurer, in exchange for an annual premium. Soothsayers embrace risk, albeit with fatalistic fervor. Auditors, on the other hand, assist management to mitigate risk.

      This chapter is about risks, but rather than focus on risks that controls can help us mitigate, as covered inChapter 3: Objectives, we will cover control risks: ways and...

  8. Part II: Principles
      (pp. 79-86)

      Records tell a story. Tax accountants, for instance, often get rare glimpses into their clients’ inner worlds.

      In exploring the principle of proximity through space and looking at the passage of data from within and without a system, we piece together a story, where the gaps can be just as revealing as the content. By placing the sequence of controls against the passage of time, we piece together yet a different story.

      Proximity is the first step to understanding other principles: alignment, coupling, balance and resilience. Like all principles, it can be used and misused. To this end, we will...

      (pp. 87-96)

      In 2010, Room to Read, a global organization focused on improving literacy skills amongst primary school children, faced a unique predicament in Zambia⁷. In its expansion into Kafue, a district south of Lusaka, the team had the challenge of transporting library books and furniture along bumpy hill roads, across Kafue River and through a wild animal park, to get to schools in the provinces. When introducing its Reading Room program to the local community, they discovered an unlikely partner. Trucks belonging to ZAMBEEF, an international food production company, come into Lusaka fully loaded, but head out to the provinces empty....

      (pp. 97-104)

      Remember the last time you deposited a check? Was it signed? Now, imagine having to book a journal entry. Does it have to be approved before it can be posted in the system? Or how about releasing an emergency fix in production. Is it likely to have been approved?

      In exploring the principle of coupling, we ask two primary questions:

      First, the elephant in the room: does the controlreallyneed to be performed for the process to be complete? Is it a nice-to-have or a must-have? Just as we expect checks to be signed, do we, in turn, expect...

      (pp. 105-112)

      When you think about imbalance, do you visualize a tightrope walker? Tilt a little to the left, or right, and risk falling. To get down, proceed forward, or go back. It is a most precarious position, one that requires a great deal of effort and concentration just to obtain momentary control.

      When it comes to IT controls, imbalance manifests in less obvious ways. Blink and you just might miss the opportunity to correct a lopsided arrangement. Instead of a tightrope stretched between good and bad, what you see is an almost infinitesimal tilt that threatens to veer into oblivion over...

      (pp. 113-123)

      Resilience in IT controls is not unlike resilience in human psychology. Both refer to the ability to:

      Bounce back, or recover to the original state

      Do better, or evolve to a new state.

      Controls may in turn promote resilience. The recovery of business operations to normal operating levels in the event of a disaster, covered in the last chapter, comes to mind.

      In applying the principle of resilience to the organization of control elements, we will investigate the impact of change. Thus far, in exploring proximity, alignment and coupling, we covered the ways control elements can be organized in a...

  9. Part III: Strategies
      (pp. 125-134)

      It is difficult to keep up with today’s corporate news without coming across “executives blinded by greed” or “malicious insiders.” Indeed, much of the drive behind compliance or security efforts, other than meeting mandated regulations or standards, centers on keeping the bad guys at bay. There’s no denying that management fraud exists, as does insider sabotage, but in adopting an “us vs. them” mentality, we mask deeper issues that cause organizations to go through cyclical firefighting cycles.

      The obligation to comply with regulations, or fend off the bad guys, can only go so far. The March 2010 revelation of the...

      (pp. 135-144)

      The subprime mortgage crisis in 2008, possessed the hallmarks of a systemic risk: underlying interdependencies swirl to produce a series of cascading failures for an entire system, rather than any one singular entity. Held captive by sheer magnitude, we marvel at how seemingly unrelated elements spaced apart by time and space can interact to reach catastrophic proportions.

      When it comes to the design of IT controls to mitigate risk, however, we rarely place any emphasis on visualizing, let alone assessing interconnections. Even the label IT can be misleading; for some of us, it conjures up system programming, or anything and...

      (pp. 145-156)

      Shortly before 2 pm on June 21st, 2009, neighbors watched in horror as a four story building in Brooklyn, New York plundered into the ground. Only seven weeks earlier, the Buildings Department issued the owner a violation for a visible crack running up the east exterior wall¹⁵. A myriad of factors – work performed on the wall, the filing of the lot near door and rainy weather – increased the lateral load and eventually sent the building toppling into a huge cloud of dust¹⁶.

      We seldom view a breakdown of IT controls with such dramatic flair. Yet, data breaches reported often capitalize...

      (pp. 157-166)

      The server-to-admin ratio is a traditional metric used to assess IT operating efficiency (see Figure 50). Specific factors can improve this ratio, not least a homogenous infrastructure and standardized configurations.

      The advent of virtualization promises a dramatic improvement (see Figure 51). As presented briefly inChapter 4: Systems, virtualization decouples the operating system layer from the supporting hardware; in effect, the same server can run multiple operating system instances, each hosting varied applications. Resources are allocated where needed, redistributing server utilization in an optimized fashion. With fewer servers needed to host more applications, the difference in the resulting server-to-admin ratio...

      (pp. 167-179)

      In manufacturing, we do all we can to minimize scrap and defects (see Figure 57). The outcome is strength in numbers: an improvement in first-time yield. When it comes to employing general computer and application controls to manage IT and business processes, the correlation between work performed, and the outcome, is less obvious.

      As illustrated in Figure 58, an absence of restricted access, field validity and configuration controls, all contributed to a higher likelihood of errors with transactions processed. The immediate effects are not felt until it comes to the time to perform manual reviews downstream. While onerous and time-consuming,...

      (pp. 180-190)

      Why do we always go through this?

      Think back to the last:

      Emergency fix

      Remediation for controls that fail to operate effectively

      Retirement of a control

      Effort to tighten controls after a system go-live.

      Are there areas that need to change, yet stay the same each time? In spite of the best of intentions, we often go through the same motions, resolving to do better next time, only to succumb to the seeming inevitable.

      Strategies that break the cycle drive change. Invariably, organizations become adverse to change over time. It is amazing to see the level of work undertaken to...

      (pp. 191-204)

      On a recent flight, I caught a snippet of the conversation behind me:

      Of course, we are compliant.

      Both my teams are compliant too.

      Yes, yes, we are all complaint.

      I could not help, but think that compliance for some has become a dance in, and of, itself. We gather evidence, identify control deficiencies and report to management. Performance is measured by the number of controls that have been successfully validated without exceptions, or conversely, a reduction in the number of deficiencies identified. This leaves us wondering what the forest truly looks like beyond the trees. To be sure, control...

  10. Part IV: Action
      (pp. 206-215)

      When it comes to developing a business case for changing the way we envision, develop and implement IT controls, make every attempt to justify with metrics that are meaningful in the context of every-day operations, as opposed to point-in-time compliance.

      As detailed in the prior chapter, the rate of failure seen in changes deployed in production, the mean time to repair a bug, the average time taken to remove access for a terminated employee, or per cent of failed back-up media, all convey a sense of urgency to keep the lights turned on.

      Change does not have to come in...

      (pp. 216-227)

      Compliance can be characterized as a series of character-building endeavors. Regulations and standards change, as do enterprises, people and technology. Compliance thus involves real, hard work, but at the end of the day, it is, but a baseline set of behaviors for securing a level of trust to conduct business.

      It can be foolhardy to think that the paradigms or frameworks that we have erected fully encapsulate reality. As new threats evolve, so too must our security postures. The penultimate question that needs to be asked and reasked is: in the midst of all this work, where are we this...

    (pp. 228-230)