There are no pre-packaged tools or services that will give you continuous controls across the range of regulatory requirements and internal risk management practices that govern most businesses. But more than anything else, continuous controls will make everyone's life much easier in 2006.
That means you'll have to get there the hard way, and if you haven't already started, 2006 may not be your year. I'm not talking against pre-packaged tools. The reason there are so many tools is that there are so many unique problems to address and you'll, no doubt, find some of them useful in your overall compliance and risk management environment. For a large organization to achieve continuous controls, however, they will need a way to monitor and report all events that break with accepted security, risk and compliance policies and then document any and all remediation efforts. Most continuous controls environments also provide a centralized view of the entire enterprise risk management landscape via tools we've come to call dashboards.Building a continuous controls environment means integrating the monitoring of controls with all the sources of information that could possibly generate a risk event, in other words, every place on your network where information is stored or exchanged.
Some companies elect to build continuous controls into their overall business process management system. That's a huge commitment, but front-ended with a business intelligence engine and augmented with enterprise content management (ECM) that implements the COSO framework, a BPM system may be in the best position to achieve continuous controls across a broad range of requirements. Then you have to make sure it can perform real-time auditing, analytics, reporting and mitigation. And then you have to make sure that all the processes are repeatable, an enormous but necessary undertaking.
Few compliance requirements are so specific and unchanging that a single packaged tool will get the job done. And the task of continuous controls will call for the tools you choose to work together. In the end, it forces you to examine your entire chain of information, from transaction systems to production systems and communication systems. It would be shame not to leverage such retooling and analysis to improve efficiencies, productivity throughout the organization.
Your greatest challenge could be getting management to understand the need for and the benefits of a continuous controls environment. If you were one of the majority of IT managers that were merely given a deadline to become compliant and little or no extra budget to do so, the fact that you were able to patch together controls for your first audit means you get to do it all over again. And that's not a New Year that anyone wants to look forward to.
So there you have it. That makes 10 predictions for IT compliance in 2006. If you missed any of the previous nine, you can review them below: