While IT is focused on getting their arms around the Application Management problem, the Regulatory mandates like Sarbanes-Oxley (SOX), HIPAA, PCI Data Security Standard, FDA 21 CFR Part 11, Gramm Leach Bliley Act, FISMA, BASEL II are pushing the IT and business users to brink with all the myriad of compliance and audit requirements. Having visibility to all the controls in the system, managing the change process and reporting on the controls/changes has been become the main focus of most companies.

While companies currently treat IT Management and Compliance as two distinct needs, I am here to tell you that, if implemented correctly, ITIL concepts around Change Management, Configuration Management, Release Management ( aka CCR), will go a long way in  companies’ establishing the framework needed for the compliance requirements as well.

With Configuration Management, going down a level from Application Infrastructure to the Application Controls level, having the visibility, dependency mapping and monitoring of the changes will in effect satisfy some of the key requirements around IT Management in SOX 404. Similarly monitoring the Access management in the application should assist companies in ensuring that the confidential information about Credit Cards stored in Application is secure and not accessed by unauthorized personnel, thus meeting the needs of PCI Data Security.

Once we have the focus of CCR at the Application Controls level, reporting on them becomes easier. Almost 80% of the requirements around compliance is reporting on the controls and access information.

About Subraya Mallya

Subraya Mallya is a technology executive, entrepreneur involved in conceiving, building software businesses. In this blog, he focusses on business and technology strategies around Business Model, Product Development and Marketing. Connect with me on Twitter - @subrayamallya