The word ‘compliance’ has come a long way in the English dictionary. It might have started as yet another addition to the vocabulary, but now the image it conjures up – little would have the people who coined this word foreseen this evolution.

SOX, HIPAA, PCI, FISMA, GLBA… and considering the probability of the future Enrons, this list is only expected to grow. However, since many organizations have taken active steps to adhere to the compliance-rules, transactions on the web have become a lot safer than they used to be! Companies will surely not want to take the risk of being non-compliant…not if they have to face dire consequences!

You’ll have to face those dubious ‘CNN moments,’ where you’ll need to parade in front of the camera for the whole nation to scorn you. As a consequence, you’ll lose out on a large chunk of customers – who’ll want to project themselves as a victim of fraud!?! If you are a larger organization, the impact is even worse – the shareholders pull-out as their value will drop. This will, in the worst case, mean an abrupt closing of your business! Non-compliance triggers a domino-effect of events that never seem to stop!!

Additionally, there are consequences (of relatively less intensity) like paying thousands of dollars as penalty, and having a tough time fighting the Government to safeguard your dignity (and that too…by paying a lawyer!), or even worse, ending up in the prison!

Amidst all the above mentioned , be assured that being compliant and establishing compliance is not conversely difficult as the consequences seem…not if compliance becomes an everyday activity rather than a one-time task! If all access logs and financial data are maintained and audited regularly, there’s no need to ‘comply’ all of a sudden! It’s just there when you need it! Compliance is more like a set of rules that streamline the flow of financial audit process and strengthen data-security. It may seem that (if not caught red-handed), things do go well for the organization…but it’s always safer and better to be compliant – because it ultimately boils down to data-security!

Now comes that really achy part – establishing compliance; a situation more like ‘Water Water all around, and not a drop to drink.’ If you’ve been compliant all year long and you need to establish compliance, all you need is comprehensive software that will collate the data and generate neat reports that will establish compliance. There are tools that cater to specific compliance requirements, and also ones that deal with everything – SOX, HIPAA, PCI, GLBA and FISMA!

Throw away all your compliance woes folks! There’s nothing to it beyond being diligent in maintaining your financial records and being able to prove you’ve done so!!

When I was in business school in the late 1990's, we learned about Total-Factor Productivity (TFP). That’s the factor or coefficient that, when combined with labor and capital, equates to total output. TFP is an intangible, but it is thought to be anything from better human capital skills to technology (IT).

I bring up this old memory because there was a debate at the time among economists as to how big a role IT played in overall productivity gains and thereby total output for an entity or even GDP. I'm no economist, but I think the answer is pretty obvious today. Again, without anything to cite other than common sense and simple observation, I think future historians and economists will look back and consider the information age as every bit as important as the industrial revolution. When you think about the ability to process information rapidly, to store and retrieve data, to communicate instantaneously, and to optimize manufacturing processes (or, for that matter, to optimize nearly any business process though the application of IT), is it really possible to view the past 30 years as other than revolutionary?

Nearly every aspect of our lives has changed for the better because of technology. Whether it be a GPS-guided car ride, the rapid check-out at the grocery store (today it is self-check out!), or purchasing an airline ticket, nearly everything is more efficient. I won't even get into how Apple alone has enhanced our everyday lives with the iPhone and iPad and the related apps! The fact is, the more we invest in technology, and the quicker we can harness its power, the more productive we can become.

As I recall, the debate about how much technology contributed to productivity was related to the cost of IT and the ramp-up related to deploying new technology. While these factors may prolong the return-on-investment, there can be no doubt to the eventual gains in productivity. Organizations are highly optimized today because of technology. On balance, they are more profitable because of technology and the related productivity gains.

To be sure, IT has also led to lost jobs. IT automation and globalization have eliminated the need for millions of jobs in the U.S. and elsewhere--but the same observation could be made about the industrial revolution: Think of how many weavers and tailors were forced to reinvent themselves when the mills optimized the production of textiles. The nature of revolutions is that societies change; old ways are abandoned and new ways are adopted. While some industries, manufacturing in particular, have suffered (in terms of net jobs) as a result of IT, I do believe that other industries--particularly the IT sector--have flourished. Still others will flourish too as more entrepreneurs find new ways to use IT to do new things - but, that is another blog!

In the early days of the technology revolution (1980's - 1990's), the cost of adopting and  deploying technology were high. The technology needed to mature. Economies of scale, which could drive down technology costs and make technology more mainstream, had yet to be achieved. And, keep in mind that back in the ‘80s people spoke of “business re-engineering” projects in terms of months and years of effort--and this was the conversation among the technically savvy people. Back in the ‘80s and ‘90s, it took a long time for productivity to improve because it took a long time to deploy the technology. Some people didn’t want to embrace technology, so that complicated factors and could, in some cases, increase the costs and delays of deploying technology.

So much of that is different today. We can deploy technology faster and at far lower costs. People are far more accustomed to using technology--particularly younger workers, who have grown up in a world where technology is common. Indeed, we’re fast approaching the point where the users of technology are moving ahead of the IT organizations tasked with managing and maintaining the technology. In more and more organizations, people are walking through the doors with iPhones and iPads; they’re connecting and collaborating in ways that their IT organizations have no control over. From a personal productivity standpoint, that’s exciting. Moreover, it’s exciting from an overall organizational standpoint: the more productive the people within the organization are, the more productive the organization can be.

But it’s all maddening for the IT organization. They’re the ones who are struggling to keep up. They’re the ones that feel like they’re falling behind. They, who used to define what it meant to be cutting edge, are feeling dull.

What’s the solution for an IT organization? Do what you really do best: Use technology to better harness the power of technology. IT organizations need to find ways to make use of the lean, cutting-edge tools and service delivery modalities to facilitate the delivery of IT services. Once you can figure out how to improve the productivity of the IT organization itself, you have more time to focus on how you can use IT to improve the productivity of the broader organization. 

In the end, IT is all about boosting TFP -- at the personal level, at the level of the IT organization, and, ultimately, at the level of the enterprise itself.

Raj

I had a lot of fun talking to Michael Dortch recently. For those of you who don’t know Michael, he’s a charismatic IT analyst who has a great perspective on IT and who likes to share it. The man’s one of the toptweeting IT analysts and has written extensively about IT infrastructure, collaboration, and cloud computing — all of which are right up our alley at Zoho and ManageEngine.

So Michael came to Pleasanton, and we talked about what is on the minds of IT managers today. Feeling Dickensian, we agreed that it is both the best of times and the worst of times for IT managers. A lot of exciting technology is making its way into business, and some of those technologies — mobile tech like smartphones and tablets, and social tech like Twitter and Facebook — are game changers. Some have introduced dramatically improved levels of productivity; others have changed entire business models.

That’s the best-of-times view.

The worst-of-times view takes in these same game-changing technologies but looks at them from the perspective of IT professionals struggling to deal with them. How do we incorporate them into our infrastructure? How do we manage them for the enterprise? How can we make the most of them ourselves to deliver IT services more effectively and play a larger role in the delivery of value to the business and our customers?

Sure, CIO’s are all talking about using technology to grow their businesses, improve service delivery, align more effectively with business units, become more agile, establish a common language between IT and business groups, and so on. Wow, sounds good, right? But now, turn your gaze away from the big screen. Pay attention to your colleagues behind the curtain — the ones in charge of keeping the server lights green and the networks up and running. “It sounds nice,” they mutter, “but it’s not going to happen at the pace that it should.”

Why not? Well, as most industry analysts indicate and discussions with IT professionals validate, it comes down to budget and hours in the day. Most analysts say that 60-85 percent of IT budget dollars are spent on “keeping what they have working and making what they have work together.” Not surprisingly, IT professionals spend about the same percentage of their time on the management and maintenance of existing technologies and projects — leaving virtually no time to execute the forward-thinking vision of the CIO.

Michael and I reached the conclusion that until IT organizations can get their arms around the technology they already have and until they can drive down the maintenance costs, the cool new stuff will take a backseat. It’s a bit of a catch-22, sadly: The new technologies may very well contribute to greater productivity and lower costs but only if the IT organization can find time to explore them, envision and test new business and service delivery models, and then deploy those technologies — which, of course, they can’t do until they can free up some time.

It would be great to get a larger population of IT professionals to weigh in on this topic. Let us know: Are you able to adopt new technologies fast enough? And if not, why not?

Raj

T​he current dynamic IT scenario ascertains the importance of security logs because of the rise in hackers activities. The resultant requirement is an event log management tool to detect security issues within your network. Massive data in gigabytes are likely to appear per day that are irrelevant; until critically analyzed to confirm network security is error-free. Event log management comes prior to any other measures you may have considered for security reasons. It is not an opinion but an enforcing factor for ensuring security and growing auditing concerns.

Security Event Log Management Checklist

Before zeroing down on any of the event log management software application, it is crucial to know if it serves as the correct solution to your unique security demands, is it cost-effective? What would be the exact features and role of the event log management solution in your company? Overall, review the event log management solution on the following parameters: 

Easy to Use Reports

It should most importantly, bring about convenience in reviewing security information with an easy,comprehensible report structure providing summarized view of the security data. Additionally, the data management by the event log management tool should be such that, a quick insight into the security-related information is possible and analytical. T​ he reports should give an overview on the top event reports on logon, logoff attempts, alerts and system users that are of high relevance to the administrator and the enterprise management.

D​etecting Threats by Tracking Down the History of their Occurrences

T​he event logging tool should be able to provide trend analysis so as to bring about the disguised threats in spotlight. T​ o derive an implication on specific pattern of events, the event log tool should be in a position to present a visual representation of the updated factual security information.

The Archiving Feature, Storage Capacity

Y​our event log tool should be scalable enough to include heavy amount of log data​ and store this for a longer, required period of time to be available for forensic investigation; in case a security incident occurs within the organization.

Supporting Systems and Formats

The event log tool should be compatible with any given log source, supporting Security Issues in Network Event Logging Standard (syslog),Windows, W3C web server, proxies and applications as well. The IBM AIX, Sun Solaris BSM) UNIX logs and any devices from CISCO (routers & switches), Junifer and others, too, should be monitored and logs collected and analyzed from these systems. So, basically, it has to accept log data from heterogeneous sources in variety of formats.

Role of an Event Log Application

Why compliance audits?

Let us not narrow our perception to the IT systems alone...but with IT infrastructure as a broad term. Auditing has a purpose. Tracking activities within the systems is important for system security but most importantly, it is a priority for data security. Towards a secured IT data within an organization, auditing requires not just protection but assurance of continuous protection.

Auditing: Hard-and-Fast, Stringently Enforced Rule

Compliance audit calls for both: event logging and log reviewing. However, it is witnessed that only for the sake of being compliant to the regulatory acts, to which they are legally bound, companies are willing to opt for event log inspection. But minus log reviewing and analyzing, an event log application is a mere security camera recording with evidence, but no crime patrol. It is like gathering information on the confidential data loot but no eyes to see.

Why spend on an event log management tool that serves compliance log management?

Simple! Since it is a source of evidence, assurance, and most importantly, an investment measure.

Source of evidence, in terms of providing timely information, objective news and proving as a witness required to resolve confidential data theft issues.

Assurance of continuous monitoring and alerting functionality that assists in situational awareness for appropriate handling of the situation. An event log application acts as an identifier of threats.

Investment in investigation of inappropriate behavior within the systems through an event log analyzer that analyzes logs and provides an insight into the events captured in logs. Investment because an event log application, like a lie detector, is a threat detector that locks security incidents, assists in preventing policy breaches and avoids getting duped by any trickster or hacker, assists in rectifying operational errors. 

Tips from the Auditor's Perspective:

• Your event log tool should continuously trail for events and retain the logs originality. Logs that are protected from any kind of manipulation serve as a quality assurance to the auditors and mark as a good compliance log management practice. 

• The log reporting structure should be compatible and comprehensive to human understanding. It should be systematically presented with indexes to locate the trends and behavior of activities that occurred within the infrastructure. 

• It is important to learn what kind of logs correspond to the compliance log management requirements that your organization is to abide with. Accordingly, your reports should introduce event logs with appropriate categorization of events. Using an advanced event log tool, you can customize the inbuilt reporting structure to match the compliance log management and audit needs.

• Compliance audit aims at requiring the operating systems, a home to personally identifiable information (PII), to record any network issues.

Plan of Action: is to not only meet regulatory compliance standards but also stay confirmed about secured IT operations within the network as a part of compliance log management. As a step to satisfy these needs, you require EventLog Analyzer as your log management tool. Opting for EventLog Analyzer, you can achieve event normalization. In other words, you can get rid of the formatting issues that could result in a Windows Vista event log file being unreadable on Windows XP systems. The tool supports EVT and EVTX log format.

What exact information are the auditors looking for?

• Study of the process involved in following corporate policies and set compliance standards and whether or not these procedures are in sync with the applications and the operating systems within the network

• Recordings of security updates and host users have a place in the event logs

• Detailed analysis and storage of information on any changes or revision in the applications and systems including: user responsible for modification, the when and what changes have taken place and the cause for the modification, logon-logoff attempts, date and time, effective from and on which data files or network resources

To conclude, every IT organization for security of systems, servers and overall network environment should be acknowledged on the legal requirements and the risks involved in not applying EventLog Analyzer tool as a means to achieve compliance log management. These risks include:incurring expenses on the name of penalty for customer credentials theft, data breaches, and unable to abide by the regulatory standards set by the government. If you feel your organization is safe with current tools, it is time you know that the security concerns are very high with the high-tech hackers on prowl, awaiting for a loop hole in your network. Your IT infrastructure might not be as safe as you think it to be!