5 Steps to Improving Your IT Infrastructure Compliance Strategy

Mark Prahl

Mark Prahl

Want to keep your sanity—and your job?

Of course, you do. But, managing your IT infrastructure holistically is not an easy task! Ensuring everything is always under control and meets regulatory requirements is even more difficult.

What you need is an effective approach to governance, risk management, and compliance or GRC.

More than just another acronym, your IT GRC strategy is your hall pass to staying out of trouble.

And, because your IT infrastructure compliance strategy is part of your overall IT GRC, it’s critical to address the internal complexities brought on by today’s dynamic physical and virtual data centers with both new technologies and new ways of doing things.

Makings of a Good IT GRC Platform

Some organizations might already use IT GRC technology to align controls with departmental and corporate policies (e.g. service-level agreements) and regulations. However, most organizations still function as silos and don’t have the right technologies or processes to measure activities, provide efficiencies, and evaluate risks.

An IT GRC platform should help an organization to: 

  • Define IT policies and controls based on external and internal requirements
  • Manage policy content
  • Map policies to controls
  • Evaluate IT risk
  • Automate auditing and regulatory reporting

So, how do you keep everything under control and maintain compliance in the IT infrastructure?                                                                                                                       

The answer is both the right technology and the right processes. A good example of the right tool set can be found in the integrated RSA Archer/EMC/VMware platform.

But, the secret to success is not just in the right platform, it’s in the right management approach to people and processes. It’s a recurring theme here at Managed View: understanding changing roles in the data center.

A 5-Step Program

Here are 5 steps you can take to make everything align:

1. Start out with a focus on quick wins

Whether you are just starting your IT GRC strategy or revising an existing one, it’s important to keep in mind that quick wins will make it easier for the organization to change.

Ideally, you should target making those early 3 to 5 use cases a big success in order to get traction. Your organization then will adopt naturally.

 For the quick wins:

  • Focus on formalizing the risk process:  Look for risk metrics from existing IT infrastructure management technologies.  Better visibility and awareness of risk at the senior executive level will help justify new security projects.
  • Determine inconsistencies in processes: Drive automated control testing and identify compliance issues.  If your organization uses a manual compliance process and not an integrated compliance framework, this is an opportunity for standardization.

2. Automate whenever possible through integration

You should monitor configuration settings and measure vulnerabilities in the IT infrastructure. Look to tools such as VMware vCenter Configuration Manager (vCM), and EMC Network Configuration Manager (NCM) and Storage Configuration Advisor (SCA) to collect data automatically and to perform correlations, analysis, and assessments.

3. Show the cost saving

Cost savings can be achieved in many different ways after your compliance processes are implemented. The obvious value is the improvement in organization’s external audit posture.

Once integrated with your  IT infrastructure management technologies, your GRC framework provides savings on reporting and any fines and related expenses that might have resulted from not meeting regulatory requirements.

Additionally, cost savings can be derived from:

  • Improvements in business system availability,
  • Fewer trouble tickets
  • Less time spent on problem management and validating compliance
    …and more

4. Make it easy for executives

There is a lot of complexity behind those infrastructure management technologies. However, their results can be used by executives if the reporting provides a simple way to roll up compliance data. A GRC framework like RSA Archer allows quick creation of simple dashboards with information like the current state of process and control compliance, vulnerabilities, and IT asset use.

Another argument for simplified compliance reporting is to meet the needs of internal and external auditors. Without automation made possible by an integrated compliance framework, it’s very likely that the data collected is inaccurate.

5. Involve key stakeholders early

GRC strategies can be driven from either the top-down and bottom-up.  

IT GRC will have more IT-centric requirements when driven from the bottom-up. Alternatively, Enterprise GRC or eGRC  will be more about enterprise risk and driven from top-down.

Both approaches will require a certain level of coordination amongst an organization’s IT, security, audit, and risk management teams.

Allow time to negotiate change. GRC can involve simply a new nomenclature (e.g. “incidents” become “issues” in the new lexicon) or seemingly innocuous or even radical change to processes.

Regardless of the breadth of change, people need time to digest the impact of a new way of thinking or doing things and assess what it means to them and their jobs. Leave out key stakeholders or rush this step and you could find yourself with the right GRC strategy but all alone.

Wait, There’s More

Where do you go from here?
Hopefully, you now have a better understanding of the key considerations regarding your IT infrastructure compliance strategy.

One recommendation is to learn more about the technologies available.

Once your organization understands the flexibility of the framework and usefulness of the integration, you can move quickly to accelerate the IT GRC journey enabled by those technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>