 |
» |
|
| |
 |
| |
Research opportunities |
|
|
In today's enterprise IT environment, security governance is managed as a lifecycle where:
- IT associated risks are assessed.
- If appropriate, controls are designed to mitigate these risks. The controls can be mechanisms but most often they are operational processes. The aggregation of controls is often called a control architecture.
- IT staff then have the challenging task of deploying and operating these controls across a heterogeneous application and infrastructure environment.
- The environment is regularly monitored and audited to give assurance that the control architecture is working effectively.
- Finally the loop is closed and based on factors such as: audit results, cost, sustainability, new risks; changes to the control architecture may be made.
Thanks largely to the string of financial scandals that rocked the business landscape in recent years, publicly held enterprises must now prove their compliance with a growing number of complex and constantly changing regulations. Chief among them: The Sarbanes-Oxley Act, which set tough new standards for corporate record keeping.
Other laws apply to particular industries -- for instance, the Health Insurance Portability and Accountability Act (HIPAA), which establishes stringent requirements for protecting confidential medical records.
Companies that violate those requirements, even accidentally, risk massive financial penalties; in particularly egregious cases, top executives could personally face criminal charges. |
|
|
|
Research focus |
|
|
|
We have built technology to allow enterprises to model their control architecture to improve the rigor of the (largely people- and process-based) assurance lifecycle. Moreover, given the problems enterprises are having demonstrating compliance to regulations; we are focused on automating the testing and reporting of controls.
We are also looking at how the technology can integrate with security analytics and correlations more traditionally used for security monitoring. Equally important, we are looking at how to use the modeling framework to orchestrate and integrate the different assurance reporting requirements of auditors, security officers, application owners, risk officers and compliance officers. |
|
|
|
Current work |
|
|
Using our tools, organizations can model control objectives, controls, metrics and tests. Also individual auditors are able to adapt the model as needed – to add new tests, queries or risk indicators, for instance, to determine whether controls are in compliance with ever-changing rules and regulations.
Once built the model configures an analysis engine that is integrated into the IT environment so that there is scheduled collection of the relevant information. In this way we are able to automatically produce regular assurance reports that show in traffic light form how well controls are working, provide the ability to drill down and see specific problems, and to spot trends that indicate problems emerging.
HP Labs is now working with HP Services to create a standard offering based on this technology. We are also exploring how our modeling approach can enable the sharing of assurance information across organizational boundaries. This is already relevant in outsourcing situations, but will become more so as we move to service oriented, shared and virtualized data centers. |
|
Technical contributions |
|
|
Our efforts are already bearing fruit in the world outside the lab. The technology has been piloted with a major customer and internally, working with HP's own IT auditors, successfully demonstrating that the company has the proper IT and financial controls in place.
The modeling tool and associated analysis engine are being developed with HP Services.
|
|
|
|
Security & compliance |
|
|
|
|
Printable version
