Gourley: The key to IT compliance

Automation can help agencies comply with the growing number of IT rules and regulations

Related Links

Bob Gourley's blog

We typically think of government as the source of regulation, not its subject. Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability acts are key examples of regulations that have levied significant requirements on information technology leaders in industry. But government IT professionals are now finding that they have to comply with more rules and regulations.

Score card approaches to governance and regulations — such as the Federal Information Security Management Act, the Federal Desktop Core Configuration and the Security Technical Implementation Guides at the Defense Information Systems Agency — are mandating actions throughout the federal government.

Many of the lessons learned by industry’s compliance with regulation can be directly applied by government IT professionals. But one in particular is important: The smart use of automation.

Automating compliance by continuous monitoring ensures that misconfigured devices are found immediately. Automating compliance also reduces costs by reducing downtime. Approaches that detect, diagnose and repair changes before they become problems avoid work disruptions, keep people productive and reduce manpower costs associated with audit and repair.

Automation also increases security. It is usually the misconfigured system that gets penetrated. By detecting and immediately reconfiguring those systems, automation shuts the door to external attacks.
Reactive approaches to compliance, including manual audits and manual follow-up processes, are neither reliable nor scalable to organizations as large as most federal agencies. Periodic scans are also unsatisfactory. They can only determine if something is wrong but can do nothing to remediate the problems they identify. And the resulting reports from scanning thousands of PCs and servers can inundate IT experts with reams of irrelevant information. Similarly, annual audits will identify problems but usually long after they’ve had a negative impact.

Private industry has shown that it doesn’t make sense, financially or operationally, to take a reactive approach to compliance. With the proper approach, every PC and server can be monitored — and threats to compliance resolved — every minute of every day. This can be done in a way that enhances
security and productivity and reduces costs.

The scope of regulatory demands is likely to grow in the future. The sooner organizations within the federal government implement an automated approach to IT compliance, the sooner they’ll be able
to truly mitigate risk and control costs.

Gourley is founder of Crucial Point and a member of the advisory board of Triumfant. He is former chief technical officer of the Defense Intelligence Agency.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.