Gourley: The key to IT compliance

We typically think of government as the source of regulation, not its subject. Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability acts are key examples of regulations that have levied significant requirements on information technology leaders in industry. But government IT professionals are now finding that they have to comply with more rules and regulations.Score card approaches to governance and regulations — such as the Federal Information Security Management Act, the Federal Desktop Core Configuration and the Security Technical Implementation Guides at the Defense Information Systems Agency — are mandating actions throughout the federal government. Many of the lessons learned by industry’s compliance with regulation can be directly applied by government IT professionals. But one in particular is important: The smart use of automation.Automating compliance by continuous monitoring ensures that misconfigured devices are found immediately. Automating compliance also reduces costs by reducing downtime. Approaches that detect, diagnose and repair changes before they become problems avoid work disruptions, keep people productive and reduce manpower costs associated with audit and repair.Automation also increases security. It is usually the misconfigured system that gets penetrated. By detecting and immediately reconfiguring those systems, automation shuts the door to external attacks. Reactive approaches to compliance, including manual audits and manual follow-up processes, are neither reliable nor scalable to organizations as large as most federal agencies. Periodic scans are also unsatisfactory. They can only determine if something is wrong but can do nothing to remediate the problems they identify. And the resulting reports from scanning thousands of PCs and servers can inundate IT experts with reams of irrelevant information. Similarly, annual audits will identify problems but usually long after they’ve had a negative impact.Private industry has shown that it doesn’t make sense, financially or operationally, to take a reactive approach to compliance. With the proper approach, every PC and server can be monitored — and threats to compliance resolved — every minute of every day. This can be done in a way that enhances security and productivity and reduces costs.The scope of regulatory demands is likely to grow in the future. The sooner organizations within the federal government implement an automated approach to IT compliance, the sooner they’ll be able to truly mitigate risk and control costs.