Recent news events involving data breaches at Epsilon, a marketing service provider, and Sony Online Entertainment make an interesting read that further highlights the seriousness of the challenges that corporations and their IT security teams face today. Both incidents will no doubt raise the decibel on the call for more regulations and enforcement of current mandates, potentially adding to an already difficult and daunting environment for IT policy makers and implementers.

Either way, an expanding regulatory compliance landscape will place new responsibilities on security and IT operations teams. I'm sure we can all agree that meeting regulatory or security mandates such as Sarbanes-Oxley (SOX) or the Payment Card Industry -Data Security Standard (PCI-DSS) involve more than technology or configuration management tools for that matter. Beware of vendors with logic-defying claims of ‘compliance-in-a-box' with their configuration management tools; the right approach is that successful compliance programs need to harness a combination of technology (security and IT Operations), people and well developed processes.

In any case, given the high dependence of business operations on information technology for most, if not all, of the stages in the business value chain, it's no surprise that a fair number of these mandates require compliant organizations to demonstrate a handle on their information management processes and, by inference, control over the underlying IT resources that enable those processes.

Whether an organization needs to demonstrate proof of internal control for financial reporting purposes as demanded by SOX Section 404 or it needs to meet PCI requirements that IT resources used in processing customers' credit card information meet or exceed benchmark security configuration standards, successfully complying with these mandates is directly or indirectly predicated on establishing effective IT change management and control policies.

So how does configuration management help towards your organization's regulatory and standards compliance efforts? When correctly implemented, it enables IT teams to:

1. Enforce security configuration settings for infrastructure components based on accepted security hardening standards
2. Track and detect changes in infrastructure resources from designated reference configuration snapshot (baseline) or gold-standard configuration
3. Perform configuration audit scans and create compliance reports
4. Remediate configurations that are non-compliant with OS and application configuration policies with automated or manual processes
5. Ensure that configuration changes are carried out in accordance with internal change policies

Each of these functions adds to the arsenal of tools available to IT in addressing the requirements of multiple compliance mandates. Let's take a quick look at some of these functions and how they contribute to various IT compliance programs.

The first function has obvious applicability in meeting the IT policy compliance requirements of PCI (Req. 2.2) which provides an assurance that configuration standards developed  for system components address all known security vulnerabilities and are consistent with the hardening standards set by industry sources such as Center for Internet Security (CIS), ISO, NIST and SANS. Configuration compliance tools with rules libraries or content built on one or more of these industry standards can help automate the checks, apply recommended settings as necessary, and ensure configurations are kept up to date as standards are updated.

Functions 2, 4 and 5 described above can help in driving IT change control for identified business processes within a SOX Section 404 program. The rule, among other requirements, mandates that management perform a formal assessment of its system of internal control over financial reporting (ICFR) using a recognized internal control process framework such as COSO or COBIT.  Broadly speaking, parts of the rule indirectly requires examination of the risks associated with IT control processes (change management, security, application testing, etc.) in applications such as ERP and Data Warehouse that support the business process so that appropriate IT control objectives can be set. An example objective could be ‘only approved changes are made to the ERP application subsystem' to mitigate the risks of using inaccurate data in financial reporting. Configuration compliance management can help track and ensure that only authorized changes are implemented as dictated.

Lastly because tracking so many IT controls and their configuration settings is resource intensive and error-prone, configuration compliance tools can perform automated scans and create audit compliance reports in support of IT efforts, eliminating one of the most tedious aspects of compliance mandates.

An important point to note is that configuration compliance addresses specific sub-sections or IT control requirements of the broader compliance mandates in the examples discussed. Successful compliance programs encompass much more than configuration control and create synergies through integration with security solutions and other management tools (access control, patch management, and software distribution are recognizable examples).

Automation is the name of the game as the inextricably linked demands for security configuration compliance and change control drive a convergence of needs between IT Operations and information security teams. With both teams having ultimate responsibilities to the business in achieving its regulatory and security goals, breaking down the silos between the teams through sharing of well-established best practices and tools is a positive outcome towards a more efficient compliance audit process.

Vendors such as CA Technologies have long recognized this convergence and offer customers a strong portfolio of configuration management and security compliance solutions. CA Configuration Automation, a stand-alone component of CA Automation Suite for Data Centers, is central to our configuration compliance efforts with contents and rules based on CIS benchmarks. CA Technologies customers are realizing new benefits from the solution through its expanded functional scope from discovery and application mapping for ITSM change management and CMDB, to its central role in data center server provisioning and compliance auditing. Various customers have widely deployed the solution for enforcing change control on their critical Web infrastructure (to minimize outages due to uncontrolled changes) and on SAP business applications for SOX compliance. 

To learn more about CA configuration compliance visit the CA Configuration Automation page on ca.com and be sure to download the solution brief on Server & Applications Configuration Compliance.