Effective IT Governance Risk and Compliance Starts at the Top

From the Editors of CIOSC

Information security is a business issue, not just a technology issue. Data breach incidents, new laws and regulations and security audits have grabbed the attention of corporate executives across the globe, driving the evolution of information security from mainly a technical problem into a business challenge. Today’s corporate executive now must be concerned with protecting the most important assets of any organization: knowledge and data.

These executives face an ever-expanding number of critical demands, yet they work in an environment where failure is not an option. If a company experiences a security breach, significant damages may occur on many levels, including the loss of investor and customer confidence. If a company fails a regulatory audit, the executives may be subject to criminal and civil penalties. Corporations must ensure the confidentiality, integrity and availability of their data.

Boardrooms are buzzing about governance risk and compliance and the need to govern IT infrastructure. This newfound focus has fueled a host of information security initiatives, and corporations are left wondering where to start.

Minimizing risks, showing due diligence
A top-down, risk-based approach to IT governance risk and compliance (IT GRC) will enable organizations to minimize their risks and show due diligence to customers and stakeholders. This approach makes it possible to:

• Identify, understand and interpret the regulations that apply to the business.
• Translate those regulations into a generally accepted best-practices framework and corporate security policy, which provides the structure used to define control objectives.
• Map best-practice frameworks into sets of technical checks and procedural controls.
• Integrate technical checks and procedural controls across the IT infrastructure and the people.
• Document and continuously monitor compliance status, and demonstrate proof of compliance to auditors, executive management and other stakeholders.

Organizations that start their IT GRC programs from the bottom up often turn to the capabilities of the tools at hand, jumping into establishing technical and procedural controls that ultimately result in inefficient spending and a lot of unnecessary technology thrown at the problem. The best security begins with upper management creating an actual policy or mandate to implement security.

First up: a corporate security policy
The first step is to formulate a corporate security policy. Executives need to determine where the risks are, what the organization wants to accomplish and then write the corporate policy to mitigate these risks. The corporate security policy should be an outline of security practices that every executive in the organization agrees to live by.

Corporate security policies are used to define the procedures, guidelines and practices for configuring and managing security in the business environment. The role of the policy is to guide users in knowing what is allowed and to guide administrators and managers in making choices about system configuration and use.

A host of information security standards and government regulations -- such as CoBIT, ISO 17799, HIPAA and PCI DSS -- provide a great foundation for a corporate security policy. Too often, organizations find major disconnects between corporate policies communicated to employees and the actual control objectives required by regulations and frameworks. Policies should be based on industry standards and regulations, but a plain and simple version of the policy that can be rolled out to employees needs to be created.

If all employees help to implement the policies, an organization’s information security and regulatory compliance posture should be strong. The best way to get employees on board is through corporate security awareness and training.

Having a security policy that is easily measured and enforced is also critical. The corporate security policy provides the acceptable baseline standards against which to measure compliance. And, by planning on the worst-case scenario, enterprises can be better prepared for policy violations.

An effective security policy doesn’t stay static. It is a living document, changing with corporate needs. It evolves to guard against perceived threats and changing system architectures.

Procedural and technical controls
After establishing the corporate security policy, the next step is to connect the written policy to a set of specific procedural and technical controls on individual components of the organization’s infrastructure. Documentation of this structure has become a priority for auditors.

Procedural controls consist of written statements of expected behavior for individuals and processes they must follow. These controls could include security incident response procedures and business continuity plans.

Technical controls include policies that can be technically automated or enforced across the IT infrastructure. For instance, technical controls could include a company’s password policies, as well as the secure configuration and protection of system servers.

Once policies and controls are documented, the burden of IT GRC shifts to continuous IT infrastructure assessment, validation and monitoring. Regulators and auditors want to be assured that when gaps in a control structure become evident, the organization will promptly identify remediation tasks and complete them. Beyond the regulating authorities, executives within the organization want the same assurances. Organizations must therefore be able to automate processes that assure the ability to sustain compliance through continuous monitoring, reporting and remediation.

A look at industry leaders
Industry compliance leaders monitor, measure and assess controls 12 times more frequently than industry laggards. Enterprises with two or fewer compliance deficiencies and two or fewer data losses annually conduct assessments once every 19 days, while laggards assess controls once every 230 days (“Core Competencies for Protecting Sensitive Data,” IT Policy Compliance Group, October 2007).

What’s more, nearly all IT security technology controls and procedures are now automated among the organizations performing as leaders in compliance. These leaders, according to the IT Policy Compliance Group, are re-allocating funds from external contractors to equipment and software for automating the monitoring and measurement of controls and procedures, and they are consistently spending 32% less time on compliance than firms that do not automate such repetitive tasks.

Conclusion
Failing to comply with industry and governmental regulation comes at a great cost in the form of penalties -- damage to the organization’s brand and financial loss. To protect valuable data, enterprises today must look to improve their IT GRC programs both from a policy and a technology standpoint. The good news is that the executive suite is increasingly aware of the stakes and recognizes that IT GRC is a business decision that affects the viability of the whole company.