I was thumbing through an impressive article over at CMSWire this morning and it brought to light an important question that with the end of Microsoft XP looming ever closer should be something that is not only thought about by consumers and businesses alike, it should be implemented post haste! When we look at IT and technology in general, we look at it as a business enabler, a giver of information and a social connector all in one…and this is a good thing it really is…but when the world of Security and Compliance cross…it gets really, really mucky!
Lets first take a quick look at some definitions:
IT Security (from Wikipedia)
The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction. Computer security also includes protection from unplanned events and natural disasters.
IT Compliance (from Wikipedia)
While they exist in the same arena, the article titled Can Security and Compliance Coexist takes the idea of them to a very basic level that states:
Security is about access — whether you can get to systems and data. Compliance is about behavior — what you do with it once you get there.
So if that is the case, and businesses are challenged by being a slave to two masters…what can we do and what should IT Professionals do with the limited amount of time and resources they have to administer the security and compliance rules?
I am a big fan of the Audit.
Does this mean that one needs to wait for a Federal, State or Provincial watch dog to come in and look through the Policies and Procedures…no. An organization can take on a stronger posture that fits both Security and Compliance by simply taking the time to document and update the procedures that are meant to safeguard the organization or individual from the world that is hell bent on getting what ever it is that you have and they don’t.
As we all move more and more to a Cloud Based Society, this means that we are ever increasing our reliance on others to do the things that we should be doing ourselves…but just never bothered and this apathetic view will lead to more security breaches and data privacy leaks.
Taking the time to measure and the overall ability of the systems within a business to meet a standard is vital to protecting the information and data that sits inside the walls…and now more than ever…out in the nebulous clouds and this becomes an exercise in the maintaining of a structured Risk Management Policy and Approach to doing business.
I did some quick digging and there are lots of resources out there to build a Self Assessment Audit for your organization. This does not mean that you need to head out and get your Certified Information Security Auditor designation (although I am seriously considering it), but it does mean that you have to take the work that you are doing (and it doesn’t matter if you are a Computer User, Network Admin or CIO) seriously and consider the Risks that are taken with every business decision, and every key stroke in the Cloud.
Here are some of the resources that I dug up…I strongly recommend looking at using them as templates to build a structured approach for IT Security and Compliance:
- Security Configuration Checklist for IT Products by NIST
- Business Continuity Checklists by the Federal Emergency Management Agency(FEMA)
- Information Security – How to Prepare for IT Audits by IT Compliance Institute
- ITAF: A Professional Practices Framework for IS Audit/Assurance, 2nd Edition by ISACA
- ISO27002 Security Framework Audit Program by the INFOSEC Institute