Suppliers of management software are jumping on regulatory compliance concerns by delivering a raft of tools that do everything from sound alerts when systems drift out of whack to automatically remediate problems and generate reports that can be used in audits.
Management veterans such as Computer Associates and niche players such as Ecora are betting that businesses faced with penalties ranging from $100 for inadvertent violations to $250,000 for deliberate disclosure of healthcare information would rather invest in software than take their chances with an audit.
In the US, 60 percent of 500 IT executives surveyed earlier this year concurred, saying that ensuring compliance with regulations over the next 12 months is "extremely important." Close to half of the respondents also said they will upgrade their applications or purchase new applications this year to ensure compliance with regulations.
"Vendors are drooling over the fact that IT shops need to comply with regulations, and right now they are preying on customer ignorance and panic to meet deadlines," says Mike Neuenschwander, a senior analyst at Burton Group. Yet vendor promises aren't totally without merit, he adds: "Vendors can provide tools to help automate the work needed to verify that a company is compliant, but there is no suite of products to ensure you're compliant."
While application suppliers such as Oracle, PeopleSoft and SAP are adding features to improve financial and other reporting processes, management vendors say their tools will help customers ensure their systems, security measures and management processes are in line with US regulations such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act (HIPAA).
Become compliant, then automate
The general idea is that once a company determines how to be compliant and has its policies in place, management software can automate the processes needed to stay compliant. That can range from tracking and documenting changes to monitoring system access and usage to producing reports specific to regulations.
Configuration, desktop, and identity and security management wares are being pushed as compliance tools, and industry watchers say they can help IT teams monitor and document their compliance efforts.
"Operational reporting, proper notification and escalations, and basically keeping track of who people are and what they are doing needs to be automated for IT shops to realistically tackle compliance," says Mike West, senior program director at Saugatuck Technology Research.
IT managers agree. Jim Vellella, associate director of ISD Technical Services at the University of Pittsburgh Medical Center in Pennsylvania, says HIPAA requires "IT to be able to provide clear, concise, authoritative monitoring and documentation of the security measures" in place, and the ability to alert and report on any deficiencies. He uses Ecora software to provide the monitoring and reporting required by HIPAA.
"We simply do not have time or staff to provide the type of consistent, repeatable analysis and reporting on hundreds of systems that an automated product like Ecora provides," he says.
Ecora's change and configuration software can be installed on an administrative workstation to collect data from multiple operating systems, including Microsoft, Unix and Linux, and network devices from the likes of Cisco. The software also can retrieve data from Active Directory, Exchange, NetWare, Citrix, Oracle and other systems. It then compares the data against a pre-defined model of a compliant configuration and alerts staff to exceptions and unacceptable changes.
Establishing controls and processes
The new tools also can help IT meet new process requirements. For example, Sarbanes-Oxley requires companies to establish and certify a system of internal controls and processes used to obtain financial results. That means IT needs to be able to prove that financial data followed a specified workflow across multiple systems and restrict data access to authorised users.
James Kritcher, vice president of IT at White Electronic Designs in Arizona, says the public semiconductor packaging company stays on top of Sarbanes-Oxley using Ecora software in concert with processes spelled out in the IT Infrastructure Library and Control Objectives for Information and related Technology. The combination should help ward off potential audits.
"There is no [set of generally accepted accounting practices] for IT that tells you how to get through an audit," he says. Ecora's software scans his network for IT issues that could cause compliance problems, such as a firewall that is open to attack or a server that is not properly patched.
"We use the software to take a baseline of all our configurations and compare what we have against how it should be," Kritcher says. "It helps us document that we are taking the proper steps."
In Charles Revei's case, HIPAA requires him to ensure privacy for patient data, including information stored in multiple IT systems. The computer operations manager at Maryland General Hospital in Baltimore says he uses features in ScriptLogic's Desktop Authority to push out HIPAA-compliant security policies and software patches to client machines on a one-to-many basis. "When I make a change to our overall security model the software will push out the policies to the entire infrastructure," he says.
ScriptLogic software also gives his staff the power to shut down clients remotely when a breach is suspected. "If a general-use PC on the campus had access to a patient care system, and for some reason that was left unattended or an unauthorised user accessed it, we can limit that access remotely," Revei adds.
But nothing does it all
For all the advances, no single vendor offers a solution that addresses all IT compliance needs. Still missing from vendor offerings, Vellella says, is the capability to monitor multiple operating systems, platforms and applications. He says it would be ideal to have software that provides an end-to-end view from "desktop to Web portal to application server to database server" that would automate the correlation of compliance events between disparate systems and prevent IT managers from having to manually compare data to determine the source of a problem.
Also, the features provided in management software can only address IT processes and policies. Industry watchers say IT shops must align their compliance policies with their specific businesses. "Every industry is regulated now, and there isn't one product that provides compliance rules for all the regulations," Burton Group's Neuenschwander says.
He also warns IT not to view compliance as a one-time project with a set end date: "Compliance requires ongoing process and policy improvements."
White Electronic Designs' Kritcher agrees. "Compliance is a moving target," he says. "You become compliant for one regulation and then breathe a little easier, but it's factored into our budget and staffing for the long term."