Focus on Central IT Platform to Manage Policies, Requirements

A key strategic necessity for effective IT governance and compliance is the ability to integrate, automate and centralize the process controls implemented by the organization, says a new IBM white paper.

A compliance strategy must address the fact that information is usually spread across multiple systems and applications, making it "difficult to consistently deploy the proper controls for maximizing business integrity" and difficult to meet compliance specifications in 21 CFR Part 11, among other regulations and laws.

Firms should take a "life-cycle" approach, advises IBM's "Help Protect the Integrity of your Business through IT Governance and Compliance Management" white paper. Compliance policies should be defined, designed and implemented into applications, which must then be monitored for compliance and visibly tested so that any noncompliance issues can be identified and addressed.

Bottom-line: Integrated IT governance and compliance management systems help enforce policies consistently across all domains and optimize operational costs and efficiencies, the white paper notes.

But because many firms deploy controls manually, two key problems can crop up:

Inefficient deployment. Determining which resources must be modified and who owns them within the organization, gathering the required approvals, implementing the changes and verifying on a repeatable basis that they remain valid can often take too long. Ineffective deployment. Manually implementing policies across multiple resources tends to increase the likelihood of "implementation disparities."

In addition, ongoing maintenance is much harder without a centralized approach, the white paper asserts. That's in part because it is usually handled by a variety of local administrators, who mistakenly or purposefully can cause noncompliances through common situations that include:

Trying to manage available storage resources by allowing much shorter data retention windows; Neglecting to update the underlying systems with the latest application and security patch levels; Satisfying localized requests to allow additional users to access restricted data; and Subverting policies that require users to reset their passwords regularly.

To access the full white paper, go to www-8.ibm.com/businesscenter/au/solutions/pdfs/TivoliComplianceManage mentwhitepapeGC28-8371-00.pdf (http://www-8.ibm.com/businesscenter/au/solutions/pdfs/TivoliComplianceManage mentwhitepapeGC28-8371-00.pdf). -- Michael Causey