Taming the Jungle: Effective SOX Controls for IT Operations
October 2, 2008 01:00 PM
A Web browser isn't usually the first thing that comes to mind when someone mentions Sarbanes-Oxley. But behind that simple window of content and functionality lies a highly complex, often disorganized area of IT operations?and an often-overlooked but essential aspect of regulatory compliance.
Director of Marketing for IT Solutions
In the frantic early days of Sarbanes-Oxley, companies naturally focused on the most immediate and obvious challenge: bringing new controls to the systems and processes directly related to financial reporting. This in itself was more than enough to keep them busy?not to mention the consultants they employed to help them achieve 404 compliance.
Now, as compliance makes the transition from short-term crisis to ongoing requirement, companies are seeking to wean themselves from outsourcing and build new controls into their own infrastructure. Once again, the initial focus is usually on financial systems, but that?s only part of the picture. Compliance officers and IT executives need to be aware of just how broad-reaching the operational implications of 404 can be, especially in the context of the browser-based applications now common in financial services, healthcare, telecommunications, government and other regulation-intensive sectors.
Easy for Them to Say
The immediate goal of Sarbanes-Oxley is to improve the control and accuracy of financial reporting. In practical terms, though, its call for new control, monitoring and reporting capabilities extends to virtually every area of the IT environment, including systems and applications that were never designed to provide them. Many of these requirements are spelled out in two standards to which Sarbanes-Oxley refers companies for guidance: the COSO compliance framework and the CobiT methodology for assessing and measuring corporate risk, governance and compliance in IT processes and controls.
Regarding the provisioning of changes to application code and content, COSO directs companies to evaluate the design, implementation and sustainability of their internal controls to assess whether:
In essence, these requirements come down to process control, version management and accountability. To demonstrate that they have met these requirements, companies are directed to ?select a sample of changes made to applications/systems to determine whether they were adequately tested and approved before being placed into a production environment. Establish if the following are included in the approval process: operations, security, IT infrastructure and IT management.?
- Management procedures exist for all changes to the production environment, including program changes, system maintenance and
- The process used to control and monitor change requests provides accurate information and an ability to review how change requests are properly initiated, approved and tracked;
- A whole snapshot of every customer?s browser-based experience can be kept on record for three, five or seven years;
- The development process is entirely separate from the production deployment process;
- An auditable trail is captured of everything deployed to an external environment, such that changes can be traced back to the change request log and supporting documentation;
- Procedures exist to ensure that only authorized/approved changes are moved into production.
Although sensible enough in themselves, such measures go far beyond traditional norms of IT operations. CIOs recognize that they have much work to do; in a recent survey by CIO Magazine, more than 90 percent expressed their belief that Sarbanes-Oxley will require changes to their technology infrastructure. But what kind of changes, exactly? COSO and CobiT are full of best practices?but tantalizingly vague as to the best technology strategy for supporting them.
The task would have been more straightforward in an earlier era. Back in 1992, when the first COSO framework was introduced, computing was dominated by static mainframe and client/server environments in which content changes were generally infrequent, and made according to narrowly defined, closely controlled workflow. Today, the picture isn?t nearly as simple. Organizations in the financial services, healthcare, telecommunications and government sectors increasingly rely on thin-client, browser-based applications for both internal use, and to equip their websites with customer applications ranging from investment plan calculators to interactive help systems and online account management tools.
The provisioning of these applications is more complex and dynamic in every way. Hosted on distributed infrastructures, they constitute a complex and dynamic environment of code, static content and configurations in which updates are aggregated, synchronized and deployed from multiple development systems to distributed servers throughout testing, staging and production environments. Worse still, from a compliance perspective, changes can be initiated by a broad spectrum of IT and business users, and can proceed by any number of possible processes.
This dynamic environment serves a vital business purpose, enabling organizations to respond quickly and flexibly to new business requirements and competitive pressures. But it also makes effective controls much more difficult to implement without sacrificing the very agility and responsiveness that drive their value in the first place. In fact, one major bank currently requires 14 signatures and two weeks for changes to their customer-facing websites.
The difficulty of bringing thin-client applications into Sarbanes-Oxley compliance stems from a more fundamental problem. Inherently less structured than client/server or mainframe-oriented processes, the seat-of-the-pants manner in which code, content and configuration changes are made to these applications often borders on chaos, leaving many CIOs unable to sustain even a basic level of quality and performance. IT is besieged with change requests from all sides, leading to backlogs and delays. Homegrown workflows and techniques lead to frequent errors?non-functioning applications, inaccurate content, out-of-sync deployments and worse. It?s no wonder many CIOs refer to this application environment as ?a jungle.?
Control, Management and Accountability from the Inside Out
As the full implications of 404 compliance sink in, companies are seeking new strategies for bringing some semblance of order and control to the thin-client jungle. Solutions offered by ERP and business intelligence vendors can support the process control requirements of Sarbanes-Oxley in relatively static mainframe and client/server environments, but that?s the easy part. The inability to easily maintain a record of website activity on a given date?especially when ERP data is combined with content from other systems?in one case led a financial institution to take Polaroid snapshots of Web pages to serve as a system of record.
Meanwhile, audit firms and business process management (BPM) vendors offer solutions based on the CobiT model that focus on managing internal controls. But the time needed to complete these audits leaves them out of touch with daily operations, and with the frequent changes associated with dynamic thin-client applications.
A more effective strategy has been offered by enterprise content management (ECM) vendors. Unlike ERP and audit-based solutions, ECM plays an integral role in the actual management, control and monitoring of daily Web content operations. This unique perspective makes it possible for ECM vendors to build real-time compliance directly into the content provisioning process, tracking the flow of information through the enterprise to provide the necessary process control, version management and accountability. Capabilities that would be difficult or impossible to apply from the outside are simply core elements of a well-designed ECM-based content provisioning solution, including:
Of course, identifying the best approach is only the beginning. Actually bringing the provisioning process for thin-client applications into compliance will proceed differently for each organization, based on the nature of the code, content and configurations in question, the unique workflows to be supported and other business requirements.
- Workflow - Providing full range of controls to ensure the correct and orderly application of content provisioning policies. User authentication and authorization provide real-time security and control over who may apply changes to deployed browser-based applications. Audit trails capture all site content activity, demonstrating who did what and at what time to ensure full accountability.
- Versioning - Capturing and maintaining an accurate snapshot of every production instance, including code, content and configurations, allowing an IT organization to prove or reproduce past application states as seen by end users at any point in the past.
- Deployment logs and reporting - Providing a detailed, fully searchable log of deployment events, enabling companies to research and analyze past deployment events.
Achieving Compliance - and More
While Sarbanes-Oxley compliance may be a key consideration in the implementation of a content provisioning solution, the initiative should also be understood as an opportunity to fundamentally transform and standardize the thin-client provisioning jungle and achieve new levels of efficiency, accuracy and speed.
Before implementing the solution, the organization should first conduct a full assessment of its current processes, key provisioning requirements and areas for improvement. This exercise will enable the company to determine how best to configure the system for its own unique environment, including:
Strategies for organizing change sets ? A change set refers to the group of files and/or directories that comprise an update to a particular target application, and that should be deployed simultaneously. As the change sets are identified for each application, they can be mapped to a logical structure that ensures that all updates are completed correctly.
Aggregation techniques ? The assets that make up an application update can originate from different groups within an organization, and from a variety of different tools and file systems spanning a number of different hosts. The content provisioning solution will enable the company to control and manage the handoff of these assets from development to deployment, ensuring the separation stipulated by Sarbanes-Oxley.
Change control processes - The change control process includes the initiation of a change request, the aggregation of relevant assets and deployment of the update to test, pre-production and production servers. Automated workflow can ensure the consistent application of the required well-defined and documented process for the initiation, approval and tracking of changes.
Deployment approaches and patterns - The requirement for standardized processes doesn?t have to preclude flexibility. Deployments can be performed in a number of different ways, and can take a number of patterns based on server topology. A different approach and pattern can be chosen for each update performed based on the specific requirements of the target application.
Audit control and rollback - Sarbanes-Oxley requires extensive reporting and auditing capabilities, including the ability to maintain snapshots of target application states and to rapidly roll back changes. The content provisioning solution will meet this need, as well as providing complete logs of all change activities and the generation of summary statistics related to the historical state of servers, assets and workflows. Companies can easily research and document any past deployment event in the event of an audit.
Although achieving compliance may in itself seem like a somewhat abstract good?the avoidance of punishment, rather than a tangible business benefit ? the process by which companies come into compliance can deliver solid, measurable gains. By synchronizing the aggregation and deployment of code and content across distributed environments, companies can ensure that application updates are made correctly and at the same time at every point in the network. Process automation allows companies can eliminate costly and error-prone manual processes as well as many of the more time-consuming aspects of delivery, testing, and server synchronization. Improved efficiency and accuracy in every aspect of the process can significantly reduce the cost of managing complex Web-based application environments.
At the end of the day, the IT burden introduced by Sarbanes-Oxley might not be such a bad thing after all. In complying with these requirements, companies are by definition adopting a broad range of best practices, as well as implementing the technologies with which to support them. As new regulations are introduced and new technologies are brought on line, the foundation of control and documentation achieved through the compliance effort can ensure non-disruptive, evolutionary adaptation and continued compliance with both governmental requirements and industry best practices.
Director of Marketing for IT Solutions
As director of marketing, IT Solutions, Miles Kelly is responsible for the development and execution of marketing strategy for the IT Solutions Group at Interwoven.
Prior to joining Interwoven, Miles was director of marketing for the Content Networking Solutions Group at Inktomi, and held similar positions at AboveNet Communications and PointCast.