Free Newsletters




   
CIO magazine chief information officer ERP IT strategy research analysis business technology e-business CRM customer relationship management e-business enterprise resource management leadership
CIO.com
About
Search
Awards Programs
Subscribe
Magazine
Current
Previous
Print Links
Newsletters
CIO Store
CIO Conferences
CIO Executive Council
Blogs
News Alerts
CEO Reading
IT Strategy
Tech Linkletter
Tech Policy
Viewpoints
Experts
Alarmed
Analyst Corner
Beneath the Buzz
Consultant Briefing
Higher Learning
In the Know
Leading Questions
Weigh-In
Discussion Forums
Career
CIO Wanted
Counselor
IT Events Calendar
Movers & Shakers
Research & Polls
CIO Research Rpts
Quick Poll
Tech Poll
Reports & Guides
CIO Bookmark
Reading Room
Special Reports
Compliance
RITLAB
State of the CIO
Webcasts
White Papers
About Us
Advertise at CIO
Conference Info
Editorial Calendar
Editorial Staff
List Services
News Bureau
Reprints
Sales
Related Sites
CSO
CMO
Darwin
IDG Network
Feedback to CIO
© CXO Media Inc.
subscribe to CIO Magazine



Home > CIO Metrics
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Analytics and ROI

Effective IT Governance Risk and Compliance Starts at the Top

From the Editors of CIOSC

Information security is a business issue, not just a technology issue. Data breach incidents, new laws and regulations and security audits have grabbed the attention of corporate executives across the globe, driving the evolution of information security from mainly a technical problem into a business challenge. Today’s corporate executive now must be concerned with protecting the most important assets of any organization: knowledge and data.

These executives face an ever-expanding number of critical demands, yet they work in an environment where failure is not an option. If a company experiences a security breach, significant damages may occur on many levels, including the loss of investor and customer confidence. If a company fails a regulatory audit, the executives may be subject to criminal and civil penalties. Corporations must ensure the confidentiality, integrity and availability of their data.

Boardrooms are buzzing about governance risk and compliance and the need to govern IT infrastructure. This newfound focus has fueled a host of information security initiatives, and corporations are left wondering where to start.

Minimizing risks, showing due diligence
A top-down, risk-based approach to IT governance risk and compliance (IT GRC) will enable organizations to minimize their risks and show due diligence to customers and stakeholders. This approach makes it possible to:

  • Identify, understand and interpret the regulations that apply to the business.
  • Translate those regulations into a generally accepted best-practices framework and corporate security policy, which provides the structure used to define control objectives.
  • Map best-practice frameworks into sets of technical checks and procedural controls.
  • Integrate technical checks and procedural controls across the IT infrastructure and the people.
  • Document and continuously monitor compliance status, and demonstrate proof of compliance to auditors, executive management and other stakeholders.

Organizations that start their IT GRC programs from the bottom up often turn to the capabilities of the tools at hand, jumping into establishing technical and procedural controls that ultimately result in inefficient spending and a lot of unnecessary technology thrown at the problem. The best security begins with upper management creating an actual policy or mandate to implement security.

First up: a corporate security policy
The first step is to formulate a corporate security policy. Executives need to determine where the risks are, what the organization wants to accomplish and then write the corporate policy to mitigate these risks. The corporate security policy should be an outline of security practices that every executive in the organization agrees to live by.

Corporate security policies are used to define the procedures, guidelines and practices for configuring and managing security in the business environment. The role of the policy is to guide users in knowing what is allowed and to guide administrators and managers in making choices about system configuration and use.

A host of information security standards and government regulations -- such as CoBIT, ISO 17799, HIPAA and PCI DSS -- provide a great foundation for a corporate security policy. Too often, organizations find major disconnects between corporate policies communicated to employees and the actual control objectives required by regulations and frameworks. Policies should be based on industry standards and regulations, but a plain and simple version of the policy that can be rolled out to employees needs to be created.

If all employees help to implement the policies, an organization’s information security and regulatory compliance posture should be strong. The best way to get employees on board is through corporate security awareness and training.

Having a security policy that is easily measured and enforced is also critical. The corporate security policy provides the acceptable baseline standards against which to measure compliance. And, by planning on the worst-case scenario, enterprises can be better prepared for policy violations.

An effective security policy doesn’t stay static. It is a living document, changing with corporate needs. It evolves to guard against perceived threats and changing system architectures.

Procedural and technical controls
After establishing the corporate security policy, the next step is to connect the written policy to a set of specific procedural and technical controls on individual components of the organization’s infrastructure. Documentation of this structure has become a priority for auditors.

Procedural controls consist of written statements of expected behavior for individuals and processes they must follow. These controls could include security incident response procedures and business continuity plans.

Technical controls include policies that can be technically automated or enforced across the IT infrastructure. For instance, technical controls could include a company’s password policies, as well as the secure configuration and protection of system servers.

Once policies and controls are documented, the burden of IT GRC shifts to continuous IT infrastructure assessment, validation and monitoring. Regulators and auditors want to be assured that when gaps in a control structure become evident, the organization will promptly identify remediation tasks and complete them. Beyond the regulating authorities, executives within the organization want the same assurances. Organizations must therefore be able to automate processes that assure the ability to sustain compliance through continuous monitoring, reporting and remediation.

A look at industry leaders
Industry compliance leaders monitor, measure and assess controls 12 times more frequently than industry laggards. Enterprises with two or fewer compliance deficiencies and two or fewer data losses annually conduct assessments once every 19 days, while laggards assess controls once every 230 days (“Core Competencies for Protecting Sensitive Data,” IT Policy Compliance Group, October 2007).

What’s more, nearly all IT security technology controls and procedures are now automated among the organizations performing as leaders in compliance. These leaders, according to the IT Policy Compliance Group, are re-allocating funds from external contractors to equipment and software for automating the monitoring and measurement of controls and procedures, and they are consistently spending 32% less time on compliance than firms that do not automate such repetitive tasks.

Conclusion
Failing to comply with industry and governmental regulation comes at a great cost in the form of penalties -- damage to the organization’s brand and financial loss. To protect valuable data, enterprises today must look to improve their IT GRC programs both from a policy and a technology standpoint. The good news is that the executive suite is increasingly aware of the stakes and recognizes that IT GRC is a business decision that affects the viability of the whole company.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

Technical controls include policies that can be technically automated or enforced across the IT infrastructure.
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.





Advertisers



Free Newsletters
Sponsor Content
 Domains
Compliance CIO Partner Domain for I.T. Productivity
The domain for everything you need to assess, measure and improve
IT Productivity within your organization, Whitepapers, Books, Research, Benchmarking tools and lots more.
 Webcasts
Compliance Failure is not an option: Why online compliance and security can’t wait.
Compliance BI Standardization: Attend our virtual conference for real advice.
Compliance Getting Smart about Offshoring: How Visual Simulation Gets It Right the First Time
Compliance Turning Best Practices to Best Projects
Compliance Securing Enterprise Data In An Unsecured World
Compliance A New Game—The Fast Emerging World of IP Convergence
Compliance All CIO Webcasts
 White Papers
Compliance Organizations Shift Focus to Information Management
Compliance Tera-Scale Data Warehouse Appliances Overcome the Technology Bottleneck
Compliance Knowing the Risk
Compliance Why Asset Management and Discovery are Core Contributors to Effective Business Service Management
Compliance Start your ERP upgrade with a distinctive master data advantage
Compliance Putting your Spend Data Warehouse on steroids
Compliance All CIO White Papers

IDG ENTERPRISE NETWORK

NetApp launches expanded NAS line - Infoworld Staff
IBM, BEA lay out new Java specs - Infoworld Staff
  »More  

Phishing scams rocket
Wi-Fi switches: breakthrough year, future fear
  »More  

Users get going on SP2 rollouts
Shark Tank: Just one more thing to remodel
  »More  

SPONSORED LINKS:
Align IT with business goals. Introducing PlanView Enterprise.
A data warehouse 10-50x faster at ½ the cost. Learn more!
How do you compare with 565 IT organizations?
For real advice on BI Standardization attend the Virtual Conference on Feb 22
Manage IT Change. Manage the Business. Free white paper.
Ten Principles for Knowledge Management Success" - Get the free white paper from ServiceWare
Audit the Data or Else: Un-audited data increases business risk Grid
See Qualcomm, EPL, and Deutsche Post on the Oracle Grid
Preventing Client/Vendor Mismatch: click here to learn more

Free Newsletters

Dated: March 01, 2005
http://www.cio.com/blog_view.html?ID=221

About CIO.com | Welcome | Privacy Policy | Terms of Service | Linking to us

CIO.COM complies with the ASME Guidelines with IDG extensions for new media.

CIO magazine chief information officer ERP strategy IT research analysis business technology management e-business knowledge management intranet CRM cio.com CRM customer relationship management e-business ERP enterprise resource management leadership management measuring IT value outsourcing supply chain

© 1994 - 2005 CXO Media Inc.

An International Data Group (IDG) Company



 HOME  CURRENT ISSUE  ARCHIVE   About CIO :: Advertise :: Subscribe :: Conferences 

Reprints, IDG Network, Privacy Policy

THE IDG NETWORK
CSO :: CMO :: Darwin :: Computerworld :: Network World :: Infoworld :: PC World :: Bio-IT World
IT Careers:: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp



Problems/complaints/compliments about this site can be sent to deiben@cio.com.