BEST PRACTICES WHITE PAPER

Continuous IT Compliance:
A Stepwise Approach to Effective Assurance
Introduction
Regardless of industry, most IT organizations today must comply with a variety of government, industry, and corporate policies
to protect their data and infrastructure, and to assure efficient service delivery with minimal risk. Unfortunately, in most cases,
their compliance efforts are expensive, inconsistent, and incomplete.

If this describes you, at best you’re wasting time and money on compliance efforts that don’t work. At worst, you’re risking fines,
lawsuits, embarrassing headlines, and even lost sales as nervous customers abandon you.

It is possible, however, to achieve continuous compliance that not only meets your control objectives, but does so in a cost-effective
manner. This white paper describes a six-step approach to achieving and maintaining compliance efficiently and cost effectively.

1
The Six Steps to Compliance
Organizations face compliance requirements from a variety of regulatory, industry, and organizational sources. Regardless of
the source of a requirement, however, an IT organization should establish and follow a standardized process for compliance.

Based on our experience with numerous IT organizations, we’ve identified the following six steps as a good-practice approach to
assuring compliance:

1. Define and document your compliance objectives

2. Baseline your current infrastructure/organization against your objectives
3. Take action to bridge any gaps identified
4. Validate whether or not compliance has been achieved
5. Continuously improve the compliance process
6. Measure and report on (i.e., verify via audit) the status of compliance

These steps are shown in the diagram below.

MATURITY

Define and Baseline Take Action

Document

Continuous Validate Measure and Report

Improvement

Define and Document

This step involves specifying and recording the compliance objectives you wish to reach. These should include not only high-level
business goals such as “Make our accounting systems compliant with the Sarbanes-Oxley Act,” but also the low-level control
objectives necessary to achieve the business aims (e.g., “Ensure all servers are patched on a regular basis”).

During this step, you should also define the metrics by which you can measure success during the final “Measure and Report” stage
of the compliance process. It is important, therefore, to choose metrics you are sure you can obtain and report on later. These
should include both high-level metrics that will be meaningful to IT and business management, as well as more detailed metrics
that track progress on the lower-level control objectives.

The specific metrics you choose will also be determined by the area of compliance on which you are focusing. For example, if
you are focused on change and configuration management, you might define metrics such as “percentage of configuration items
compliant with change management policy.”

To avoid confusion and miscommunication, be sure to document and publish the objectives and the metrics for all staff members
involved in the compliance effort. A central program office that manages all IT projects or a central compliance program
management office focused strictly on compliance are both excellent ways to manage and maintain the compliance effort and to
communicate progress on your compliance objectives and metrics to all stakeholders.

Baseline
With the compliance and control objectives and corresponding metrics in hand, the next step is to identify the organization’s
starting point. During this step, you are evaluating your current level of compliance versus your defined objectives.

Ideally, the baseline process should as automated as possible to ensure accuracy and consistency. The application of the
appropriate technology (e.g. discovery tools, configuration data repository, etc.) is an effective means of driving standardization
and efficiency in your baseline definition efforts.

The result of the baseline step is a gap report, describing where you stand with regards to your specific compliance objectives.
Now, you are ready to start improving things.

2
Take Action
This step involves not only changing your infrastructure and operations, but, perhaps more importantly, also changing your
people and your culture. You may need to change the way people work, the processes they follow, and/or the tools they use to
achieve compliance.

Before proceeding, however, understand that both the size and the nature of the gap are crucial to defining the remedial action
you will need to take. The size of the gap is the quantifiable degree of difference between where you are and where you want
to be. The nature of the gap is the underlying reason for that difference. While establishing the size of the gap is generally
straightforward (e.g. the number of un-patched servers or the percent of unsuccessful changes to the systems under your
control), determining the nature of the gap can be a bit more complicated. For example, your baseline may show that 25 percent
of the servers are not properly patched. Determining the root cause for this deficiency (e.g. human error, technology failure, or
process failure) may not be immediately apparent but is critical to applying the proper remedial actions.

Once the size and nature of the gap is defined, remedial actions can take place. As previously mentioned, it is best to automate
as much of the remediation process as possible. Automation helps ensure that control objectives are consistently and
continuously applied. It also allows organizations to make better use of limited technical resources, allowing senior engineers
to define the policies that are then automatically and consistently applied across the infrastructure. Finally, automation can also
be leveraged to address process and people gaps. Once a process has been reviewed and improved (if necessary), automating
it will ensure it is consistently enforced. Likewise, automation goes a long way toward eliminating human error by removing
people from the loop wherever possible and practical.

Validate
Validation means ensuring the actions taken actually achieved the compliance objectives. Has infrastructure configuration
“drift” been reduced? Has the over-utilization of software licenses been eliminated? This is where you earn the payoff for the
care you took in defining your metrics, and for planning for how to capture and analyze those metrics. Validation should be a
straightforward exercise of comparing your current-state measurements to the target metrics you previously defined. You don’t
want, at this stage, to be scrambling to assemble data for validation after the fact. Doing so costs more money, takes more time,
and raises the risk of an inaccurate assessment. As with taking action, automated validation can help to cut costs and improve
consistency.

During validation, take care to identify policy violations that are really exceptions. For example, your server hardening policy
might state that FTP must be disabled on all servers. But some servers might have FTP enabled for a valid business reason. In
this case, you don’t want your compliance “fix” to get in the way of real work. Exceptions should be documented so they do not
repeatedly trigger violation flags during subsequent validation cycles.

Continuously Improve
By definition, effective compliance requires continuous diligence and improvement. Organizations need to continuously review
the effectiveness of their compliance activities. For example, based on the results of the validation step, you may need to revisit
your remediation actions to refine processes and/or control policies to more fully achieve the control objectives. Further,
continuous improvement goes beyond just meeting compliance goals to ensuring that those goals are met in a cost-effective,
sustainable manner.

You might, for example, initially meet your infrastructure configuration compliance requirements by hiring 20 temporary
workers for two months to manually apply server patches. But by automating that process, you could not only eliminate the
extra staff cost, but make it easier to maintain compliance consistently over time.

3
Measure and Report
The final step in the process is providing external proof that your compliance objectives have been met. During this step, you
measure and report on the progress against the objectives defined in the first step. The measurement should be done, to
the greatest extent possible, in an automated, consistent, and scheduled way to minimize disruption to users, and to assure
consistent and meaningful comparisons over time. A formal communications plan helps ensure that business and technical
managers receive the information they need in the form most useful to them, whether that be a detailed report on specific
technical changes or a color-coded “dashboard” highlighting overall progress toward business-level compliance objectives.

Depending on the nature of the compliance objectives, this reporting may be done to external auditors or internal business
management. In either case, the measurements and resulting information should clearly correspond to the initial goals, and be
presented in a format that makes it easy to understand the levels of compliance achieved as well as any remaining gaps.

Summary
For both legal and business reasons, compliance is not an option but a requirement for the modern IT organization. The risks of
financial penalties, lost business, or damaged credibility are too great to ignore. The good news, however, is that the steps that
result in effective compliance also deliver the benefits of a better managed IT organization: Lower costs, reduced risk, increased
agility, and ongoing improvements in service quality. Those organizations that move most quickly to adopt these best practices
in achieving compliance will also be the first to reap business benefits that go far beyond avoiding risk.

How BMC Can Help

BMC’s Business Service Management (BSM) for IT Governance Risk and Compliance solutions help organizations to not only avoid
risk, but to do so in a cost-effective and consistent manner. BMC’s comprehensive suite of industry-leading BSM tools enable
customers to simplify, standardize, and automate their IT operations resulting in substantial value being delivered around the globe.

4
Business runs on IT. IT runs on BMC Software.
Business thrives when IT runs smarter, faster, and stronger. That’s why the most demanding IT organizations in the world
rely on BMC Software across both distributed and mainframe environments. Recognized as the leader in Business Service
Management, BMC provides a comprehensive and unified platform that helps IT organizations cut cost, reduce risk, and
drive business profit. For the four fiscal quarters ended September 30, 2009, BMC revenue was approximately $1.88 billion.
Visit www.bmc.com for more information.

BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending
registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered
trademarks are the property of their respective owners. © 2010 BMC Software, Inc. All rights reserved. *121164*