InfoEdge Logo
Offering Select IT And Business Management Research
research@infoedge.com
800.544.7337 | 617.969.9080
Home Page About Us Contact | Questions Shopping Cart
Recent Reports Information Centers Free Research IT Business News and Articles CIO Strategy Center Browse Categories
Related Reports
Security Audit Program
The audit program is one that either an external auditor or an internal auditor can use to validate the compliance of the Information Technology organization and the enterprise to ISO 17799, Sarbanes-Oxley, HIPAA, and PCI-DSS.
IT Spending, Staffing and Technology Trends
The study tracks spending in ten industry and government sectors and provides objective and comprehensive data designed to assist IT and business executives in the financial and strategic management of information technology.
Options in Enterprise Backup
This report reviews the intricacies of backup practices and procedures, including security, business continuity, archiving and compliance.
The State of the Mainframe
Mainframe MIPS growth is averaging around 20% per year. This new report looks at the current state of this "legacy" system.
IP Telephony Solutions: Product Comparison Report
This report includes an overview of the enterprise IPT market, a comparison of nine leading IPT solutions, and a summary of the relative strengths and weaknesses of each product.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Analytics and ROI

Effective IT Governance Risk and Compliance Starts at the Top

From the Editors of CIOSC

Information security is a business issue, not just a technology issue. Data breach incidents, new laws and regulations and security audits have grabbed the attention of corporate executives across the globe, driving the evolution of information security from mainly a technical problem into a business challenge. Today’s corporate executive now must be concerned with protecting the most important assets of any organization: knowledge and data.

These executives face an ever-expanding number of critical demands, yet they work in an environment where failure is not an option. If a company experiences a security breach, significant damages may occur on many levels, including the loss of investor and customer confidence. If a company fails a regulatory audit, the executives may be subject to criminal and civil penalties. Corporations must ensure the confidentiality, integrity and availability of their data.

Boardrooms are buzzing about governance risk and compliance and the need to govern IT infrastructure. This newfound focus has fueled a host of information security initiatives, and corporations are left wondering where to start.

Minimizing risks, showing due diligence
A top-down, risk-based approach to IT governance risk and compliance (IT GRC) will enable organizations to minimize their risks and show due diligence to customers and stakeholders. This approach makes it possible to:

  • Identify, understand and interpret the regulations that apply to the business.
  • Translate those regulations into a generally accepted best-practices framework and corporate security policy, which provides the structure used to define control objectives.
  • Map best-practice frameworks into sets of technical checks and procedural controls.
  • Integrate technical checks and procedural controls across the IT infrastructure and the people.
  • Document and continuously monitor compliance status, and demonstrate proof of compliance to auditors, executive management and other stakeholders.

Organizations that start their IT GRC programs from the bottom up often turn to the capabilities of the tools at hand, jumping into establishing technical and procedural controls that ultimately result in inefficient spending and a lot of unnecessary technology thrown at the problem. The best security begins with upper management creating an actual policy or mandate to implement security.

First up: a corporate security policy
The first step is to formulate a corporate security policy. Executives need to determine where the risks are, what the organization wants to accomplish and then write the corporate policy to mitigate these risks. The corporate security policy should be an outline of security practices that every executive in the organization agrees to live by.

Corporate security policies are used to define the procedures, guidelines and practices for configuring and managing security in the business environment. The role of the policy is to guide users in knowing what is allowed and to guide administrators and managers in making choices about system configuration and use.

A host of information security standards and government regulations -- such as CoBIT, ISO 17799, HIPAA and PCI DSS -- provide a great foundation for a corporate security policy. Too often, organizations find major disconnects between corporate policies communicated to employees and the actual control objectives required by regulations and frameworks. Policies should be based on industry standards and regulations, but a plain and simple version of the policy that can be rolled out to employees needs to be created.

If all employees help to implement the policies, an organization’s information security and regulatory compliance posture should be strong. The best way to get employees on board is through corporate security awareness and training.

Having a security policy that is easily measured and enforced is also critical. The corporate security policy provides the acceptable baseline standards against which to measure compliance. And, by planning on the worst-case scenario, enterprises can be better prepared for policy violations.

An effective security policy doesn’t stay static. It is a living document, changing with corporate needs. It evolves to guard against perceived threats and changing system architectures.

Procedural and technical controls
After establishing the corporate security policy, the next step is to connect the written policy to a set of specific procedural and technical controls on individual components of the organization’s infrastructure. Documentation of this structure has become a priority for auditors.

Procedural controls consist of written statements of expected behavior for individuals and processes they must follow. These controls could include security incident response procedures and business continuity plans.

Technical controls include policies that can be technically automated or enforced across the IT infrastructure. For instance, technical controls could include a company’s password policies, as well as the secure configuration and protection of system servers.

Once policies and controls are documented, the burden of IT GRC shifts to continuous IT infrastructure assessment, validation and monitoring. Regulators and auditors want to be assured that when gaps in a control structure become evident, the organization will promptly identify remediation tasks and complete them. Beyond the regulating authorities, executives within the organization want the same assurances. Organizations must therefore be able to automate processes that assure the ability to sustain compliance through continuous monitoring, reporting and remediation.

A look at industry leaders
Industry compliance leaders monitor, measure and assess controls 12 times more frequently than industry laggards. Enterprises with two or fewer compliance deficiencies and two or fewer data losses annually conduct assessments once every 19 days, while laggards assess controls once every 230 days (“Core Competencies for Protecting Sensitive Data,” IT Policy Compliance Group, October 2007).

What’s more, nearly all IT security technology controls and procedures are now automated among the organizations performing as leaders in compliance. These leaders, according to the IT Policy Compliance Group, are re-allocating funds from external contractors to equipment and software for automating the monitoring and measurement of controls and procedures, and they are consistently spending 32% less time on compliance than firms that do not automate such repetitive tasks.

Conclusion
Failing to comply with industry and governmental regulation comes at a great cost in the form of penalties -- damage to the organization’s brand and financial loss. To protect valuable data, enterprises today must look to improve their IT GRC programs both from a policy and a technology standpoint. The good news is that the executive suite is increasingly aware of the stakes and recognizes that IT GRC is a business decision that affects the viability of the whole company.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

Technical controls include policies that can be technically automated or enforced across the IT infrastructure.
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Geography Specific | Advanced Technologies | Industry Verticals | Executive Management | Information Technology | Human Resources | Telecommunications | Sales And Marketing | Finance | Hardware | Software | Web | Outsourcing | Top IT Priorities
home   |     site map   |     about us   |     privacy statement   |     research providers   |     contact us   |     categories

Entire contents ©2008 InfoEdge. All Rights Reserved.
Email: research@infoedge.com