Monday, August 15, 2011

O-ACEML for Better Security Compliance

Languages based on XML (Extensible Markup Language) that can cut across different information systems platforms are nothing new. We already have XBRL, EBXML, and a variety of others. XBRL has become a global standard for financial and business reporting.

Auditors, however, are still hampered by the existence of different platforms within a single overall system. Each platform typically has different ways to configure security, from password management to object access to user control and maintenance. That makes it difficult to apply corporate security policies, monitor compliance and identify issues.

It seems natural that XML might come to the rescue. Recently the Open Group and others released a specification, available on The Open Group website, that outlines O-ACEML (Open Automated Compliance Expert Markup Language).

The new standard is attracting some interest among auditors. It promises the ability to write security rules for corporate adoption in O-ACEML that could be interpreted by O-ACEML - aware systems and then translated into the protocol used by those individual platforms. So the same rule could be applied in any number of platforms within an overall information system. Clearly this would be valuable in promoting compliance with security policies.

Moreover, compliance can be monitored with those same rules, with output from individual platforms translated into O-ACEML and then transported back to the auditors for analysis.

These policy application processes and monitoring activities are a problem now. O-ACEML can make it all work.

Here's a discussion on the subject that's worth reading.

No comments: