Winning the Compliance Game

Looking for tips on how to ace your next regulatory audit?

The Compliance Security Council, made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, has been tracking what's working and what's not, says James Hurley, executive director of research for the Security Compliance Council and a director of research at Symantec.

The council, which will be renamed the IT Policy Compliance Group this fall, has gathered compliance benchmarks and anecdotal data from interviews over the past few months in a survey of over 1,000 organizations that have been through audits. Among its recent findings:

• In the past year, about 85 percent of the organizations have been through one regulatory audit; 60 percent have been through two or more; and 80 percent, three or more.
• 10 percent are having less than three IT compliance deficiencies (including security) a year; 20 percent, more than 15; and 70 percent, three- to 15 per year.
• The biggest reasons for failing an audit: inadequate access control for applications and application servers, and inadequate documentation.
• Organizations with the worst audit results only did internal audits once a year, and those with the best did them an average of every 21 days.
• Whether their audit was successful or not, organizations didn't add any IT labor to their staffing.

Auditing woes mostly stem from improperly securing user machines and servers, according to the council's findings. "The problems being flagged in audits are in user and access controls on PCs and laptops, audit reporting and problems in configuration change management," Hurley says. "These are big areas where organizations are failing across the board, and most of these have to do with IT security."