Where to Start with IT Security Compliance?

With the economy near all-time lows, job complexity on the rise, and millions of security breaches occurring each year in the U.S. alone, how can companies keep up with the growing myriad of compliance issues?

With the economy near all-time lows, job complexity on the rise, and millions of security breaches occurring each year in the U.S. alone, how can companies keep up with the growing myriad of compliance issues? According to a recent CIO article, “Most companies, depending upon their industry, have to comply with anywhere from one to six or more regulatory requirements imposed by a government or industry entity to protect consumers, patients, investors and others.” Much of this can be attributed to regulatory environment crack-downs like Sarbanes Oxley, the sub-prime Mortgage collapse, and major ponzi schemes.

While it’s understandable that recent regulatory action has been enacted with good intentions, it seems to me that we’re thick in the middle of the age-old regulation cycle. Regulate, over-regulate, pushback, deregulate. Begin again. It’s evident that many of the current IT regulations are in place to ensure appropriate corporate management and protect against harmful breaches, but how does a firm balance the opposing forces of organizational security, competitive agility, and technology cost?

A few tips from the business perspective:

  • Assess: The firm’s management team and technology groups should work together to fully evaluate all applicable security requirements, mandated controls, and all-around technological risks. Attempt to find ways to mitigate or at least harmonize risks, perhaps through outsourcing some of the security burden to third party contractors.
  • Consolidate: Following risk harmonization, determine ways to execute consolidating practices across organizational security needs. For example, be sure to review and eliminate any unnecessary legacy regulatory concerns.
  • Practice: The old saying of practice makes perfect is true here too, so it's best if you create an emergency action plan and practice how to eliminate and then recover from security breaches.
  • Change: I say this cautiously, however. An organization should remember that a small change is a big investment and can go a long way…when done right. So, prepare for it, execute it, and then follow through. 

More information from a technology outlook:

Network Frontiers has analyzed over 600 authority documents from both an IT and legal perspective—visit http://www.unifiedcompliance.com/forms/tracked_documents.php for the list of authority documents currently tracked. According to CIO, “They [Network Frontiers] have harmonized the controls for well over 350 into the Unified Compliance Framework (UCF). With over 2400 controls documented, the UCF is the underpinning for a number of governance, risk, and compliance (GRC) vendors such as CA, NetIQ, Compliance Spectrum, and McAfee amongst others.”

Further, many technology vendors, including small open source organizations like Phase2, are continually sharpening their approaches on accessibility and government level compliance. Drupal now even allows for websites to be easily developed in accordance with section 508/WAI standards. Still, if you are a bit lost with all of this IT security mumbo-jumbo, it would likely behoove your firm to invest in at least a few hours of consultation.

The trade-offs of flexibility, security, information technology, the federal regulatory climate, and scalability will continue to develop as the technological landscape evolves. The challenge will be in streamlining a process for monitoring and managing these aspects simultaneously. For what it’s worth, IT security should be a continually evolving process, not a binder that sits on your office shelves. Your organization is only as safe as your most recent update to the plan.

admin