Information security is a business issue, not just a technology issue. Data breach incidents, new laws and regulations, and security audits have grabbed the attention of corporate executives across the globe, driving the evolution of information security from mainly a technical problem into a business challenge.
Today's corporate executives now must be concerned with protecting the most important assets of any organization-knowledge and data.
These executives face an ever-expanding number of critical demands, yet they work in an environment where failure is not an option. If a company experiences a security breach, significant damages may occur on many levels, including the loss of investor and customer confidence. If a company fails a regulatory audit, the executives may be subject to criminal and civil penalties. Corporations must ensure the confidentiality, integrity and availability of their data.
Board rooms are buzzing about governance risk and compliance and the need to govern IT infrastructure. This new found focus has fueled a host of information security initiatives and corporations are left wondering where to start.
A top down, risk-based approach to IT governance risk and compliance (IT GRC) will enable organizations to minimize their risks and show due diligence to customers and stakeholders. This approach makes it possible to:
- Identify, understand, and interpret the regulations that apply to the business
- Translate those regulations into a generally accepted best practices framework and corporate security policy, which provides the structure used to define control objectives
- Integrate technical checks and procedural controls across the IT infrastructure and the people
- Document and continuously monitor compliance status, and demonstrate proof of compliance to auditors, executive management, and other stakeholders.
Organizations that start their IT GRC programs from the bottom up often turn to the capabilities of the tools at hand, jumping into establishing technical and procedural controls that ultimately result in inefficient spending and a lot of unnecessary technology thrown at the problem. The best security begins with upper management creating an actual policy or mandate to implement security.
The first step is to formulate a corporate security policy. Executives need to determine where are the risks, what does the organization want to accomplish and then write the corporate policy to mitigate these risks. The corporate security policy should be an outline of security practices that every executive in the organization agrees to live by.
Corporate security policies are used to define the procedures, guidelines and practices for configuring and managing security in the business environment. The role of the policy is to guide users in knowing what is allowed, and to guide administrators and managers in making choices about system configuration and use.
A host of information security standards and government regulations, such as CoBIT, ISO 17799, HIPAA and PCI DSS, provide a great foundation for corporate security policy. Too often organizations find major disconnects between corporate policies communicated to employees and the actual control objectives required by regulations and frameworks. Policies should be based on industry standards and regulations, but a plain and simple version of the policy that can be rolled out to employees needs to be created.
If all employees help to implement the policies, an organization's information security and regulatory compliance posture should be strong. The best way to get employees on board is through corporate security awareness and training.
Having a security policy that is easily measured and enforced is also critical. The corporate security policy provides the acceptable baseline standards against which to measure compliance and by planning on the worst-case scenario, enterprises can be better prepared for policy violations.
An effective security policy doesn't stay static. It is a living document, changing with corporate needs. It evolves to guard against perceived threats and changing system architectures.
After establishing the corporate security policy, the next step is to connect the written policy to a set of specific procedural and technical controls on individual components of the organization's infrastructure. Documentation of this structure has become a priority