By Mat Clothier, CEO at Cloudhouse
For companies in highly regulated industries such as the financial sector, many can find themselves losing pace with the sheer volume of regulatory introductions coming in, despite having an obligation to ensure compliance with them. It’s a constant treadmill that can leave IT teams and regulatory professionals scrambling to update their organisation’s IT suite to ensure that they don’t fall foul of new rules, leading to rushed implementations and fixes which can create problems of their own.
In regulated spaces, many companies must undertake audits on a regular basis to prove that customer data and services are private and secured by the best known means. While cost savings are also a good justification for keeping on top of changes, the requirement to meet these rules means a solution is simply mandatory. This is even more pressing due to the fact that regulations are only going to get stricter and the penalties for non-compliance become more severe.
The regulatory landscape
There’s a plethora of regulations that financial services may need to remain compliant with. The SOX act for example was devised to protect both shareholders and the general public from any fraudulent practices or accounting errors. In both a financial and IT sense, all public companies in the US and non-US with a presence in the country must now comply with the regulation, or otherwise face fines of up to $5 million.
A merchant of any size accepting credit cards must also be in compliance with PCI DSS, and keeping such systems secure is critical to ensuring that customers can trust the company with sensitive payment card information. In the banking landscape, regulations such as Basel II provide recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision.
It’s a fraught landscape and one that financial organisations need to successfully navigate, with the eventual alternative of potentially being unable to stay in business if a fix isn’t ultimately implemented. The key to enabling compliance is by carefully controlling change, which includes tracking any deviations through development, validation via engineering and then testing any new integration. The biggest issue with ensuring compliance however is the overhead required to both test systems and ensure that the results are recorded in a meaningful way, but the correct technology integration can remove this challenge.
The key first step in being able to keep control over regulatory compliance is tracking configuration across the range of devices that may make up an IT suite in a financial organisation. With the right technology in place from a specialist vendor, the current configuration can be ascertained before having visibility of how a device may have changed over time, which is vital data in understanding where a fix needs to be applied to ensure that regulatory standards are met.
With this information gathered, the right controls can then be applied based on the organisation’s interpretation of public standards. This could for example be a particular setting that means only certain users have permission to access customer data, or a firewall that should only allow a certain type of information through. A monitoring tool can then be used to continually check and identify any change that deviates from those controls, ensuring that any potential future issue can be picked up before it becomes a problem.
A key aspect of deploying a solution to maintain control over devices in one location is the removal of time-consuming manual processes, which otherwise leaves IT professionals being spread too thinly across a range of different solutions. This could include sever provisioning, a desktop or laptop system, network devices, storage and potentially even a different solution for each of their applications. By adopting a strategy where a heterogeneous monitoring tool is used, it’s all in one place and any non-compliant devices won’t slip through the net, reducing the chance of configuration drift.
Being everywhere at the same time
It used to be the case that IT professionals were able to keep control of regulatory developments and changes via the monitoring of one device at a time. In the IT world of today, it isn’t so simple, particularly in the finance industry where evolving regulations create a need for jurisdiction over numerous devices across a complex IT suite. In an IoT world, the number of devices is only going to grow, with each requiring a slightly different approach to ensure compliance.
IT professionals can’t however be in two places at the same time, no matter how much the modern environment demands it. Technology however can enable omnipresence in the IT space and provide a level of oversight that wasn’t previously possible. With a monitoring tool in place, professionals in the industry are able to keep control over a diverse set of internal technologies and their current state-of-compliance, easing the strain on human resource and ensuring disruption-free financial processes.