Implement IT process controls to improve data center operations

Enforcing internal processes and policies can be a headache. As long as I'm passing the SOX audits, do I really need to care about every day operational compliance?

I have spent a great deal of time talking with

    Requires Free Membership to View

    Login

very skilled and experienced auditors who work with IT people day in and out. Many have expressed concern and disappointment that we've missed a good opportunity with SOX
More on change management and SOX compliance:
Controlling configuration and change management: IT process controls

Change and configuration management cut firm's downtime 

SOX: Now the real dirty work begins
to make meaningful IT improvements. Instead of implementing controls to solve real IT problems, many organizations have simply papered over their problems or weaseled their way out of the "materiality threshold" by arguing that IT deficiencies could not jeopardize 5 percent of revenues.

These auditors will allude to the IT heroics required to pass the SOX audit. They shake their heads at the fact that they'll have to do it all again in a year because, in the absence of knowing what changed in the environment, they will have to re-certify the effectiveness of their controls. Repeating this incredibly laborious testing process is ineffective and a waste of resources.

Culture of change management eases compliance, eases costs
Just because you passed your SOX audit doesn't mean your peers in management, internal audit or security are happy with the situation. You may find tremendous opportunity to decrease costs by ensuring that controls are built into daily operations. I've learned that the key trait high performers have in common is a culture of change management, which means the attitude at the top of the organization is that there are no acceptable unauthorized changes.

These organizations have preventative controls in place -- change management policies the organization is following -- not just for SOX compliance but for operational excellence. Further, these organizations have automated detective controls that monitor infrastructure and enforce the IT policy that there will be no unauthorized change. By doing this, not only will you increase the operational effectiveness and efficiency of your IT group, but imagine the surprise on your auditor's face when you say, "Here are our IT processes and how I substantiate my assertions that there have been no unauthorized changes to these systems."

Your auditor will quickly find other, higher risk areas to kick tires and you'll spend less time on activities such as liaising with auditors and fulfilling urgent document requests. Instead, you can focus on high value work that the business really cares about. How great would that be?

This was first published in September 2007

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top