December 2006 Computer Fraud & Security19

COMPLIANCE

Firstly, the relevant compliance require-ments must be clearly identified and understood. These will depend to a degree, on the nature and industry sector of the business, but there are a number of general principles that will stand irre-spective of the business area. All major businesses must produce an annual report that details the financial results of the business. Legislation now dictates that the annual report must also include

the results of all the compliance audits during the reported period. A marginal or worse still, a failed result in one of these reviews will have a significant impact on the future trading position as they are visible to investors as well as potential and existing customers. The remainder of this report will give a brief introduction into the areas that should be considered when looking at compliance management.

Initially, a seasoned auditor will want to have a high level of confidence that the managing organization of a business, whether it be the board or some other senior management team, have a clear and current understanding of their busi-ness. This may seem a curious statement but it’s often the case, especially in the larger corporates where the managing organizations have a relatively limited understanding of the most important aspects of their business. Clearly, in a large organization the board cannot be personally familiar with every one of their many thousands of employees and the areas in which they work. However, they should have an appreciation of the major risks and have measures in place, cas-caded down through the organization, to mitigate these risks and ensure adequate security.

In years past, businesses developed and operated ‘organically’ with almost a com-mon consciousness developing across a team of people because everyone general-ly knew what everyone else did and was capable of. It is now clearly understood that this ‘loosely coupled’ approached is unacceptable for a number of reasons. It is this cultural approach that has been repeatedly seen as responsible for allow-ing individuals with malicious intent, or those who make absent minded mistakes

Compliance management in the corporate worldPeter Watts gives advice on how to impress the auditors in an increasingly regulated environment.

The corporate world has changed significantly and irreversibly over recent years. These changes have been brought about by the intro-duction of controls, audits and a level of general transparency that is unprecedented. This is putting new demands on organizations that are often unprepared and under resourced. Whilst this may seem a negative development we should in fact be supportive of these measures which will, over time, restore the investor confidence that was rocked by the major corporate collapses of WorldCom, Enron and Parmalat. What is key, as these new legislative controls gain increased traction, is that organizations take premeditated and well advised steps as they start to implement suitable control measures. Those measures will improve the stability and long term security of the organization, provided they are properly targeted.

to develop an effective internal control system.

ConclusionFor a human being to enjoy a quality life, a healthy body is a prerequisite. A healthy body cannot be achieved with a quick-fix pill; rather an all-inclusive, integrated risk management approach is required. The resultant healthy body will enable an associ-ated healthy lifestyle, and ultimately a qual-ity life to be enjoyed. Similarly, ICT is, to a large extent, an enabler for a quality lifestyle of an enterprise. ICT cannot be seen any longer as a freestanding component as far as risk management is concerned. It should form part of a holistic, integrated enter-prise risk management exercise that should

ensure that the whole enterprise is ‘healthy’ to ensure maximum probability that the vision and mission can be met. ReferencesBlakley, B., McDermott, E. & Geer, D. (2001). Information security is informa-tion risk management. In Proceedings of the 2001 workshop on new security para-digms (pp 97 - 104), Cloudcroft, New Mexico. ACM Press.

Covey, S. R. (1989). The 7 habits of highly effective people. New York: Free Press.

Eloff, J. H. P., Labuschagne, L. & Badenhorst, K. P. (1993). A compara-tive framework for risk analysis methods. Computers & Security, 12(6), 597-603.

Halliday, S., Badenhorst, K. & von Solms, R. (1996). A business approach to effective information technology risk analysis and management. Information Management & Computer Security, 4(1), 19-31.

King II. (2002). The King II Report: The Institute of Directors.

Phillips, B. & D’Orso, M. (1999). Body for Life. New York: Harper Collins Publishers.

Author contactsNeil Lategan - Email: nlategan@gmail.com

Rossouw von Solms - Email: rossouw.vonsolms@nmmu.ac.za

18-21 December 2006International Conference on High Performance ComputingLocation: Bangalore, IndiaWebsite: www.hipc.org

5-9 February 2007RSA Conference USA 2007Location: San Francisco, USAWebsite: www.rsaconference.com

11-15 March 2007 22nd Annual ACM Symposium on Applied Computing Location: Seoul, Korea Website: http://comp.uark.edu/%7Ebpanda /sac-cf.htm 12-15 March 2007Architecture of Computing SystemsLocation: Zurich, SwitzerlandWebsite: http://arcs07.ethz.ch

18-21 March 2007ISACA EuroCACSLocation: Vienna, AustriaWebsite: www.isaca.org

16-20 April 20075th Intl. Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless NetworksLocation: Limassol, CyprusWebsite: www.wiopt.org

17-19 AprilCSRC 6th Annual PKI R&D ConferenceLocation: Gathersburg, MD, USAWebsite: http://csrc.nist.gov/events

24-26 April 2007Infosecurity EuropeLocation: London, UKWebsite: www.infosec.co.uk

20

EVENTS CALENDAR

responsible for very significant misap-propriation of funds. It can be all too easy to overlook the fact that the office technology of today is an order of mag-nitude more powerful than it was as lit-tle as five years ago, and individuals with apparently the most insignificant of roles and normal levels of access still have the ability to significantly influence day to day operation.

In the ever evolving business and modern office environment a more tightly controlled organization is not just advised, but essential, and being able to demonstrate this will be seen as a prereq-uisite to passing an audit.

To achieve this level of control a number of key milestones must be achieved. All audits will revolve around one fundamental principle process com-pared to execution, and understanding this principle will go a long way towards setting the context for everything else.

All businesses have processes, yet few actually write them down, or if docu-mented, study them to identify if they are well designed, efficient or even secure. It is essential that a business can identify all its processes and having done so look for weaknesses, missing or duplicated links and, of course, opportunities for data to be maliciously or accidentally modified without detection. This is typically the first phase of an audit, which can and often

will be done off site, and will often reveal a number of areas for improvement without even visiting the business or talking to its staff.

Having completed this non-significant step, the review will move on to compar-ing what the process documentation says with what is actually happening ‘on the ground.’ It is also very common that a process document states one thing, but actual analysis of the operating environ-ment reveals that the reality is very differ-ent. This is also clearly a cause for concern to an auditor. This is the second main phase of an audit and is the one that is most visible to the operations staff, because a flood of requests may be received for data and evidence to confirm the business functions are operating as described.

To ensure the business processes and the people operating them are in keeping with the documented proc-ess, a whole range of material will be requested. Examples will include process documents, work instructions, organiza-tion charts, job descriptions, access lists, training records, system configuration documents and transaction logs. All this evidence must be stored in a logi-cal, accessible and manageable way so it is easily retrievable during an audit and easy to maintain at all other times.

To maintain a strong compliance position demands a degree of preparation,

organization and a clear methodology to ensure that all the areas are dealt with in a timely and accurate manner. A number of elements are key to success. Firstly, hav-ing a core team of dedicated, well advised and trained staff who are responsible for the initial construction and subsequent maintenance of the compliance manage-ment systems, test schedules and evidence repositories is important. Secondly, it is essential that some software tools are available to assist in the management of the tests and their execution cycles and to store the evidence that has been produced.

Finally, being well prepared for an actual audit engagement will contribute significantly to the chances of a success-ful outcome for a variety of reasons. A well prepared and briefed audit interface team will always perform better in front of an auditor. Well organized material will be easily accessible and can be provided for examination in a timely manner. The combination of these factors will give the auditors themselves a degree of confidence in the organization being examined.

This has been a brief summary of the wide range of issues that should be considered when looking at compliance management.

About the authorPeter Watts is a senior consultant at Siemens Insight Consulting.

Computer Fraud & Security December 2006

CALENDAR