If something affects the business -- be it emerging competition, shifts in market demand, process re-engineering, or government regulations -- then it affects how the business' computing systems are managed. The Sarbanes-Oxley Act's regulations are a perfect example. When the law was passed in 2002, most enterprises viewed it as an issue for their auditors and financial officers. But lo and behold, in October 2003, the Public Company Accounting Oversight Board proposed an auditing standard (PCAOB; Release No. 2003-017) that states "the nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
What this really means is CEOs and CFOs cannot fully document their Sarbanes-Oxley compliance without active participation from CIOs. However, many IT executives have been caught flatfooted and are not on compliance committees. They also have been hamstrung by years of buying tactical point products for their organization, which fostered technology fiefdoms and did little to create the robust IT processes that make compliance documentation simpler.
Those lucky enterprises that have taken IT and business alignment seriously, and have already bought or are in the process of choosing enterprise-wide configuration control and infrastructure relationship mapping solutions, will find complying with the regulations much faster and easier than their reactive counterparts. The reason is that those tools provide ready answers to the questions central to compliance, namely:
- "Which of my computing resources are related to the regulation?"
- "How do I actively control my constantly changing infrastructure so that the resources to the regulation remain in compliance?"
These enterprises simply point their mapping solutions at their financial systems and will receive logical topology maps detailing which resources are related to the financial systems. Automatic configuration discovery capabilities allow companies to ensure, and document, that their change management processes are followed consistently. CIOs who approved these technologies for service management or capacity consolidation projects can readily apply them to compliance efforts.
For other enterprises, CIOs now have a unique opportunity to use a tactical issue to implement strategic configuration management processes and solutions that can have benefits beyond reducing the manual effort needed for yearly compliance auditing. Service-level management, problem resolution, capacity planning, patch management and security management issues are all related to active control of infrastructure configurations. They all need answers to the same two questions raised by Sarbanes-Oxley -- for example, substitute the phrase business service for regulation and you have the core questions surrounding service-level management. Thus it behooves IT organizations to use their Sarbanes-Oxley budgets and resources to kill several birds with one stone.
Needless to say, there are several products with configuration control and infrastructure relationship mapping from the likes of Collation, Cendura, Relicore and Troux, and acquired by BMC and Mercury as part of their enterprise portfolios. This fall, we will be looking more closely at the compliance requirements, solution capabilities, and how to maximize the benefits across multiple IT arenas.
Jasmine Noel is co-founder of Ptak, Noel & Associates, an analyst firm addressing converging IT trends and how to leverage them. Previously she was director of systems and applications management at Hurwitz Group, and a senior analyst at D.H. Brown Associates.