June 20, 2015
Is Management Pressuring You to Prove Your Company is Secure?
Almost every company we talk to is being driven by outside forces to become more secure or to prove some type of security regulation compliance. Increasingly management teams are putting pressure on IT teams to prove that their company’s data is secure. If your company has not been asked to be compliant by someone, it is only a matter of time.
What is Driving IT Security Compliance Initiatives
Pressure from business partners and customers to prove security regulation compliance is probably the number one reason management is initiating security compliance projects. Threats of “no future business” are powerful reasons to comply with requests. Avoidance of unwanted publicity with potential security breaches is another driving factor. More and more, investors and owners are also putting pressure on management and IT teams to prove some type of security compliance to fulfill fiduciary responsibility.
What Alternatives Do Companies Have for Compliance
In most cases, the third parties putting the pressure on companies to become compliant, or to document that they are secure, are not specific on the exact security objectives. This leaves the IT staff with the task of defining the goals of the security project and how it is to be done. Here are some guidelines on how to approach the problem.
The first task is to define the compliance target. What are the goals? Compliance with specific regulations or standard (HIPAA, PCI, SOX, ISO, FFIEC) or become “Best Practices” secure. Since all regulations are rooted in Best Practices, this is a good goal for smaller companies, while specific regulation compliance may be required for others.
Next define your specific objectives. These objectives are part of an External Security Review and Risk Assessment.
- Understand your risk posture
- Define your prioritized risks
- Understand your security gaps
- Define remediation alternatives and priorities
- Implement as many high priority security solutions as possible
- Achieve Certification level or Best Practices:
- Get certified to a security standard or
- Just understand risk posture and implement to best practices
Steps to Compliance
The best process to achieve a better understanding of your security risk posture, remediation plan and possible certification is the following:
- Get an External 3rd party Security Review and Risk Assessment
- Remediation problems found in the Security Review & Assessment
- Validate your updated security posture by retesting
- Install ongoing monitoring, alerting and reporting for security systems
- Review, update and adjust security on an ongoing basis
Once your company starts getting held to a higher security standard (requesting security risk assessments, statements of compliance and the like), the only way you can deal with these issues is by using security experts to assess, validate and recommend solutions. Risk Assessments are the right first step and will be tailored to your company’s situation. Most common first steps include a security review, and network vulnerability tests. Other addition tests can include Network Penetration, WiFi, Website, and phishing tests.
The post Is Management Pressuring You to Prove Your Company is Secure? appeared first on Secure eBusiness Blog.
Source: eSecurity Blog