Corporate Governance and Compliance Monitoring

The level of compliance monitoring your organization demands is relative to the count and severity of regulations your organization must operate within. But whatever your compliance mandate, one thing is true: you need to be on top of your corporate governance and a monitoring solution is essential if you want to lower risk and deliver business benefits.

Fortunately, setting up your solution doesn't have to be the most complicated thing you'll do this fiscal year. You can even use a security information and event management (SIEM) solution that you pay for on a monthly basis. It's a simple line item you don't have to worry about managing or hosting on premise.

But setting up the solution still takes a few steps. Let's jump in.

3 Steps to an Effective Compliance Monitoring Setup

Depending on which regulations you have to work with, you'll need varied info types. In general, though, your solution will be collecting information from somewhere.

Step 1: Find Your Sources

So the first step in setting up your SIEM solution is decided exactly where those "somewheres" are, says Alex Insley, Twinstate's Unified Defense Strategies technical manager. Are you expecting information to flow in from every workstation? Every switch? Even your anti-malware platform can feed info to your SIEM solution. Determine what your sources are.

Step 2: Define and Format

You really need to be able to sort through all of the information coming in to understand what's most important to pay attention to, as it relates to your mandate. Picking and choosing what's most important and then configuring your platform to prioritize that information is probably the hardest part of set up.

Step 3: Create Alerts

The formatting you just did is necessary in order to create proper alerts. You set your triggers and your alert process. For example, if your Sophos solution finds malicious activity on computer A (assuming you included individual computers in step 1 and "finding malicious activity" as an action in step 2), the system might send you an email. Or you could request a phone call for more severe activity.

This part is up to your discretion, and based on priority. You might want to consider how much time you'll have to respond to each alert. If something is a little less serious of an infraction, is there a way to delay the alert or alert a secondary team member?

3 Steps to an Effective Compliance Monitoring Setup Click to tweet 

If you have hundreds of potential alerts, that can represent a massive amount of work, notes Insley. The amount of work you need to do can be helpful in determining whether or not you need a third-party vendor.

Do You Really Need a Vendor's Help?

"Whether or not you need a vendor's help is really dependent on the size of the environment," says Insley. "The turnaround time is a big factor in that too. If you need a solution quickly, you need to outsource."

For many organizations, quick turnaround time is necessary because those organizations may be setting up compliance monitoring as a reaction, rather than a precaution.

Another determining factor: The requirements of your regulatory body. Sometimes, auditors enforcing these regulations want an independent third party involved so there is no room for collusion. As IT staff, you're likely to care a lot about the health of your environment. But there are organizations and roles that just care about how their environment looks to everyone else, and that's why lack of collusion is important to some auditors.

Ultimately, a good compliance monitoring system depends on your setup. Choose your priorities, identify your sources, configure your solution, and create your alerts. And, if you can't do all of the above quickly and without bias, hire a third party to help.