10 Commandments

10 things to know when selecting an IT regulatory compliance solution or "The 10 Commandments of Compliance According to Vanadium"

Organizations and enterprises are required to comply and operate according to different regulations and policies existing worldwide. These regulations and policies apply to all organizations and enterprise networks. Some of the regulations can be of a stricter and inflexible content which brings the organization to meet higher standards of compliance. Most organizations, having their own network policy, require an inner-depth verification that the network operates according to the defined regulations. This can be a long, tedious, and expensive process that diverts limited valuable resources such as time, manpower, and funds.

At Vanadium, we recommend organizations and consulting auditors evaluate their decisions based on the following criteria:

1. Required Resources

The most sensitive and expensive component of implementing a regulatory compliance solution is the amount of resources that is required from the IT team in order to operate the solution. With that in mind, organizations should search for solutions that require minimal resources to operate and are designed to work automatically.

2. Automatic IT Controls

In order to reduce as much as possible the time it takes to implement all the required IT controls in the network, the process should be fully automated. This enables the audit to cover the whole corporate network in a short period. Scanning and testing the whole network, and not only parts of it, while dramatically reducing the time required for professional auditors to spend at the customer site.

3. Flexible Platform

As there are a plethora of best practices for each type of regulation from each auditing firm, the IT regulatory compliance solution should be able to accommodate and support changes and adjustments in each IT control. These changes may be the result of a regulatory update and / or best practice update, etc.

4. Real-time

Organizations tend to “float away” from regulatory requirements between audits, thus building a gap between their current IT status and the desired status (based on IT controls and network policy). In order to reduce this gap, organizations should look for a solution that is capable of keeping track of all relevant changes in the network in real-time. Consequently, network policy and regulatory IT controls can be kept current at all times.

5. Full Information Coverage

With the ever growing, changing, and more complex enterprise networks, a basic requirement from an IT regulatory compliance solution is that it covers all parts of the network and keeps track of all changes when they happen. The solution should also be able to correlate all required types of information (topology and inventory, for example) to be used by the IT controls and network policies.

6. IT Control and Network Policy Visibility

In order to facilitate the definition of required IT controls and network policies, the IT regulatory compliance solution must support the ability to group and filter the collected data (may include topology, inventory, and vulnerability information) according to any criteria. The various groups may serve as building blocks for IT controls and/or network policy definition.

7. Automatic and Independent Data Collection

As stated above, the IT regulatory compliance solution must provide immediate reaction (re-assessment) to all changes in the network. In order to support this feature, the solution must be able to automatically and independently collect the data from the various network elements.

8. Agentless

The IT regulatory compliance solution must be able to function with no agents installed on network elements in order to assure both easy implementation and full network coverage at all times.

9. Non-Intrusive – Monitor Only

An IT regulatory compliance solution must only monitor and not impact the network. This ability is required in order to en sure that the solution itself will not cause any network changes and will easily fit the existing IT role management.

10. Interface with External Systems

As the IT regulatory compliance solution will not replace existing SOC/NOC systems, it must be able to export its conclusions and alerts to legacy SIM/SEM systems already deployed in the SOC/NOC. In many cases, the IT regulatory compliance solution is also required to automatically import specific data types already collected by 3rd party systems.