Compliance and profit
A strategic framework approach pays. Encryption, log management, data leakage, access control and monitoring: when it comes to compliance, IT managers are faced with a hodgepodge of different point solutions. It doesn’t have to be that way. Having a single strategic approach to compliance provides consistency and enterprise-wide control over information security and lowers IT expenditure over the long-term.A holistic approach to compliance is going to save a whole lot of headaches. It’s going to provide consistent, enterprise-wide control over information security. That means IT has a more attractive bottom line when the CFO comes calling.Strategic framework Compliance and governance are driving greater awareness of information security. The current compliance landscape means enterprises need to make sizeable investments, and this must adhere to your organisation’s strategic direction.With a strategic framework, you significantly accelerate your ability to comply with key regulations that affect your enterprise in New Zealand – whether they are PCI DSS, PII Regulations, government or privacy requirements.If you don’t, the consequences can be daunting. Hefty penalties could even threaten the very existence of the enterprise. Or you may be prevented from acquiring new businesses because you have been barred from the supply chain due to non-compliance.Being compliant means you mitigate risk, while productivity and efficiency will improve your business. Let’s take a look at the compliance landscape and see how all this happens.Risk landscape It’s a given that the technology landscape is constantly evolving. For example, 15 years ago a floppy disc could only store 1.4MB of information, then with the advent of Zip drives and DVDs the amount of storage increased dramatically. Today, you can store a terabyte of business-critical data into a USB disc that costs $250 at a local electronics store. These consumer advances are changing risk for everyone. Throw into the mix the fact businesses must increasingly meet a wide range of compliance measures designed to mitigate risk, and your IT landscape has over time become a minefield of challenges. It’s a bit like town planning: without a framework, unscrupulous developers run roughshod over the community. Globally, and here in New Zealand, compliance and governance are the drivers behind new awareness of information security. One glance down the hall at all the offices legal now occupies is enough to remind you that there is a myriad of regulations that need to be corralled into a robust framework. TrendsWhat trends are keeping you awake at night? SaaS and Cloud Computing opportunities reflect the global trend towards lower operating costs and improving business responsiveness. Then you have the huge number of end points now involved in IT: mobile phones, PDAs, thumb drives, iPhones and more.IT is also becoming more consumerised, with lines blurred between social media, professional tools and identities. Increasingly, customers are using alternatives to traditional IT and consolidating vendors to address the economic downturn. More than ever, vendor stability is a key consideration in purchasing decisions. Governance, risk management and compliance issues are increasingly driving greater awareness of information security, and the threat landscape is a constant headache. With the shift from a traditional IT infrastructure to virtualised environments, there is a new set of security and compliance considerations for CIOs. Compliance silos The problem is, corporations tend to tackle every new compliance and regulatory requirement as a different or new IT security project. When you build your house, ideally you should decide what’s going into it before you start. Otherwise you end up with a multiplicity of non-integrated rooms, or in IT’s case, compliance silos.Non-integrated compliance silos lead to some very uncomfortable issues. Costs rise, visibility is clouded and resources are wasted through unnecessarily complex or duplicate structures and lack of flexibility. It’s not just you who feels vulnerable and exposed – the entire process is.The good news is that you can create an acceptable ROI by implementing IT compliance measures that capitalise on the requirements and enhance business outcomes.This is where RSA comes in with its four-step process: 1. Discover and classify to find all the sources of sensitive information across the organisation and categorise their sensitivity.2. Build policy to address how information should be protected. Policies should consider the data objects themselves and how the infrastructure that stores and processes the information needs to be secured.3. Deploy security controls to enforce the policy. This control framework ideally should be based on established security best practices or standards, like ISO 27002, ensuring it is broadly applicable and effective in addressing most security challenges. The range of controls will be wide, but data controls and access controls should be applied.4. Monitor the effectiveness of controls, audit and document compliance with policy. Building a single, strategic framework based on internationally accepted standards and best practices, simultaneously addresses multiple compliance requirements and you lock in consistency and enterprise controls over information security.Downstream, there’s a myriad of benefits. The programme generates cost savings through efficient governance and processes, and you can drastically reduce costs relating to testing and documentation. You rationalise your corporate infrastructure, and improve processes around auditing and reporting. You remove duplication of effort and implement best practices across the enterprise.Importantly, you are being proactive in building a strategic framework, and you will be recognised for increasing sustainability, consistency, efficiency and transparency to the strategic framework.Key regulationsFormulating a strategic framework significantly accelerates your ability to comply with key portions of the many regulations that affect New Zealand corporations including PCI DSS, PII Regulations, government and privacy regulations.By incorporating globally accepted standards, including ISO 27002, ITIL, and CoBIT, enterprises can build a simplified compliance framework.Key steps First, establish an IT risk and compliance charter for your organisation. Develop policies around IT risk management and the compliance framework. Then, assess the current state of your IT compliance and determine the desired state and outcome of your IT compliance. Now enable measurement, assessment and reporting to form a continual improvement cycle on the framework. The bottom lineThe current compliance landscape means New Zealand enterprises have to make sizeable investments because the issues are driving greater awareness of information security.It’s important to get it right but with no strategic direction, CIOs are asking themselves, “what is our strategy here”? Otherwise hefty penalties may threaten the existence of the business. At the least, they can be halted from going for new business because they can’t live in the supply chain due to lack of compliance.Businesses must assess the risks involved in their compliance landscape, create strategies to deal with the risks and then invest to ensure their businesses are future-proof.The benefits of being compliant are real. Businesses mitigate risk, improve productivity and gain mandatory approval to conduct business within their operational fields.