Reducing IT Compliance Operating Expenses – A White Paper on Maximizing Compliance whilst Minimizing Compliance Costs

The corporate scandals of the early part of this century resulted in the enactment of legislation such as Sarbanes Oxley (SOX), HIPPA, PCI, and BASEL II. The intent of this legislation is to curtail and prevent a repeat of such corporate malfeasance and its repercussions. This paper describes a solution that empowers enterprises with innovative ways to implement and comply with intrusive regulatory compliance standards, whilst minimizing the time, cost, and resources inherent therein.

The Compliance Challenge

As is often the case, the knee-jerk reactions of regulators and bureaucrats, and real world practicalities are often at odds. On the one hand, loopholes in the system coupled with market participants intent on abusing these loopholes legally or illegally, resulted in an untenable situation that could not persist. On the other hand, the exorbitant costs associated with fixing the system could destroy that which it sought to protect.

Regulatory compliance is a multi-faceted, complex process. Its successful adherence requires planning and execution from many parts of the organization, including but not limited to, Finance, IT, Operations, and Sales. The IT department, as a key facilitator of business within the organization, has a key role to play in the identification and implementation of compliance tools that ease the burden of regulatory compliance.

One of the major challenges in this process is to understand the state of the corporate network as it relates to compliance requirements. Previously, common practice was to have one time audit checks of the network. A report was then issued stating the current state of the network, while outlining a roadmap with recommendations for compliance. This practice was prevalent throughout the course of the '90s and until the introduction of Sarbanes Oxley in 2004. Auditing was performed from a security perspective rather than a regulatory perspective. This has now changed.

In today's regulatory environment, corporations are not only required to be compliant, but to maintain ongoing compliance. This poses a great challenge in a world where networks change rapidly and new devices are introduced on a regular basis, resulting in perpetual changes to compliance posture.

The requirement for ongoing compliance is regulatory. However, maintaining ongoing compliance is a fiscally prudent measure in and of itself – prevention is better than cure. Using automated tools to maintain a high level of compliance, results in additional operating cost savings associated with audit preparation, audit accommodation, and remediation planning and execution which usually follow a failed or incomplete audit.

As this market evolves, the need for automated tools to help streamline the compliance process is growing. Such automated tools, which help achieve compliance quickly and efficiently, as well as maintain a high level of compliance, provide a compelling ROI model which is easily demonstrated.

The following diagram shows the erosion of compliance over time when using the old school approach of non-automated tools.

Figure 1: Compliance Degradation Over Time

Real-Time Monitoring Saves Money, Increases Efficiency

As illustrated in the chart above, using an automated tool that gives 24/7, real-time information, reduces the workload of the IT department and addresses needs in a proactive rather than reactive manner; not only when an audit is pending, but at all times.

The Scalability Challenge

Network scanning tools are prevalent. Some technologies rely on invasive scanning, some on non-intrusive scanning. There are scanners based on open source technology and those that are proprietary. The principal challenge for an effective assessment tool in today's technology environment is to provide actionable data - and to do it fast. Using artificial intelligence, Vanadium Enterprise, utilizes patented technology to scan the network at record speed. The table below compares Vanadium Enterprise with other scanning technologies on a 10,000 element network.

Table 1: Cost Effectiveness

Deploying Compliance Best Practice

Different compliance regulations and internal security policies require data to be inputted to the compliance automated tool. These best practices include templates for SOX, HIPPA, PCI, and Basel II. Vanadium Enterprise has the ability to input these templates to the system and quickly generate a report detailing exact actions to be taken in order to achieve the desired compliance level.

To maximize its technological capabilities and usability, Vanadium Software has partnered with the leading compliance specialist companies in the world, to implement their best practices into Vanadium Enterprise. Leveraging this relationship, Vanadium Enterprise is always kept up to date with the changing demands and protocols of the different requirements.

This saves organizations time and money in the adoption and adaptation of multiple products.

The Safe Road to Compliance - How?

The process of getting the IT network compliant is an evolving process, depicted in the figure below:

Figure 2: The Compliance Life Cycle

Once a set of IT policies has been defined (Requirements), the Vanadium platform utilizes its unique modeling technology in order to abstract the compliance rules (Compliance Rules). Based on the compliance rules, Vanadium scans the network in a non-intrusive, agentless manner (Monitoring), and generates a report with recommendations on how to improve (Fixing) the IT compliance level. As actions are being implemented to optimize compliance and rectify existing problems, the system is constantly being updated with the new state of the network. This method maximizes compliance, and maintains the correct compliance level as it continually compares it against the standard defined in the initial process.

Vanadium Enterprise is equipped with an intelligent analysis engine which instantly maps the gap between required IT policies and the current status of IT components. This capability can be seen in the screen shot below:

Figure 3: IT Policy Status

The essence of good compliance practice is to keep it current and continuous. Good compliance practice, facilitated by Vanadium Enterprise, enables companies to eliminate the peak costs associated with a network being left unattended for too long.

Know Your Network (a.k.a. Discovery)

Another component in the daily practice of network compliance management is network discovery and mapping. Tools for network mapping are diverse and vary in cost and usability. Vanadium Enterprise eliminates the need to deploy a network mapping tool, simply because it is an intrinsic part of the technology. With Vanadium Enterprise, network maps are live and update on the fly, as the network changes. This is illustrated in the figure below.

Figure 4: Network Mapping

Conclusion

Vanadium Enterprise offers a compelling ROI, as it introduces a revolutionary low-touch approach that requires minimal corporate resources. The opportunity to implement one tool that provides comprehensive real-time, fully automated IT assessment, compliance, and network mapping, is irresistible.