Gourley: The key to IT compliance

Automation can help agencies comply with the growing number of IT rules and regulations

Related Links

Bob Gourley's blog

We typically think of government as the source of regulation, not its subject. Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability acts are key examples of regulations that have levied significant requirements on information technology leaders in industry. But government IT professionals are now finding that they have to comply with more rules and regulations.

Score card approaches to governance and regulations — such as the Federal Information Security Management Act, the Federal Desktop Core Configuration and the Security Technical Implementation Guides at the Defense Information Systems Agency — are mandating actions throughout the federal government.

Many of the lessons learned by industry’s compliance with regulation can be directly applied by government IT professionals. But one in particular is important: The smart use of automation.

Automating compliance by continuous monitoring ensures that misconfigured devices are found immediately. Automating compliance also reduces costs by reducing downtime. Approaches that detect, diagnose and repair changes before they become problems avoid work disruptions, keep people productive and reduce manpower costs associated with audit and repair.

Automation also increases security. It is usually the misconfigured system that gets penetrated. By detecting and immediately reconfiguring those systems, automation shuts the door to external attacks.
Reactive approaches to compliance, including manual audits and manual follow-up processes, are neither reliable nor scalable to organizations as large as most federal agencies. Periodic scans are also unsatisfactory. They can only determine if something is wrong but can do nothing to remediate the problems they identify. And the resulting reports from scanning thousands of PCs and servers can inundate IT experts with reams of irrelevant information. Similarly, annual audits will identify problems but usually long after they’ve had a negative impact.

Private industry has shown that it doesn’t make sense, financially or operationally, to take a reactive approach to compliance. With the proper approach, every PC and server can be monitored — and threats to compliance resolved — every minute of every day. This can be done in a way that enhances
security and productivity and reduces costs.

The scope of regulatory demands is likely to grow in the future. The sooner organizations within the federal government implement an automated approach to IT compliance, the sooner they’ll be able
to truly mitigate risk and control costs.

Gourley is founder of Crucial Point and a member of the advisory board of Triumfant. He is former chief technical officer of the Defense Intelligence Agency.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group