Home > General > Ensuring Security and Compliance throughout an Organization

Ensuring Security and Compliance throughout an Organization

December 25, 2009 Leave a comment Go to comments
In today’s corporate environment, CIOs and security managers need to protect information assets such as intellectual property and personally identifiable information.
Key business drivers for data protection include regulatory compliance, competition in the market, legal and recovery costs associated with breaches, and brand risk. So how do risk managers address these issues?
There are several actions that can be taken in parallel and it should be noted that ensuring security and compliance is an ongoing process, not a single action. As an organization improves its security and compliance posture, processes can be institutionalized and improved over time.
An initial activity should include discovering what, if any, regulations the organization must comply with. Data protection regulations generally address a specific data type such as PCI for credit card data, HIPAA for health information, GLBA and SOX for financial data, and so on. Public companies typically hold more responsibilities, but all companies must comply with some regulations, including state breach laws around personal information.
Another activity useful for protecting data is called data classification, where an organization discovers what data resides where in the corporate environment, who uses it, who “owns” it, and how it is stored, processed and transmitted.
Once the data classification and regulatory assessments are complete, a corporate policy can be developed. This information security policy is a high level document describing the organization’s governance of data, including executive sponsorship. This policy is then communicated to the employees and training is conducted to educate everyone on how to comply with the policy.
The ISO 27002 standard is an internationally recognized standard that provides guidance on how organizations can protect IT assets. This standard is often considered a benchmark that can enable an organization to meet many, if not all, security and compliance goals. Other useful standards include ITIL, COBIT, and NIST. These standards, along with detailed procedures, can enhance an organization’s high level security and compliance policy.
The organization can now begin to implement controls according to policy to protect data. Controls include technical, administrative and physical means, and these can certainly take time to design and deploy. Regular assessments of the security program by internal audit and external consultants complement IT security efforts to secure corporate IT assets.
To ensure ongoing diligence, an IT security manager, chief security officer, chief risk officer or an IT security steering committee should be established to bear responsibility for the overall program. This function is best organized outside of IT to provide better segregation of duties and governance.
With a well-designed and well-documented set of processes and controls, an organization can ensure IT security and compliance throughout the enterprise. The most important, first step is to remember that security and compliance is an ongoing process, and not simply a bullet to mark on a checklist.  
Categories: General
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: