Organizations today must prove beyond a shadow of a doubt that not only do they have a security program in place, but that it is enforced and is consistent across your organization. Information technology departments play a key role in this endeavor. Shortcomings in IT policies can have potentially serious consequences.
Research by Gartner has shown that 65 percent of all successful computer attacks take advantage of badly configured systems such as use of out-of-the-box default conditions, configuration of user accounts that have privileged rights, simple configuration errors or unscrupulous system administrators. If that’s not bad enough another in a recently published survey conducted by the U.S. Secret Service together with Carnegie Mellon University’s Software Engineering Institute CERT Program found that eighty-six percent of people who carried out insider sabotage held technical positions and ninety percent had system administrator or privileged system access – which meant they held the passwords to override the system and access the network.
No matter how secure a system may be, if the controls to access that system are not adequate, eventually this will be exposed. A recent Audit Commission report in the UK highlighted that problems are frequently a result of poor access controls that inevitably increase the risk of accidental damage and deliberate abuse. Instances such as the failure of management to escort disgruntled employees from buildings and remove all IT system access facilities have resulted in such staff having the time and opportunity to vent their anger on the organization and cause major disruptions. Interestingly, the report found the main reasons for breaches were ineffective policies, and the failure to enforce policies.
There are also many misconceptions about regulatory compliance for outsourcing. For example if your company has outsourced management of its IT infrastructure, the responsibility of compliance still rests with your company, not its outsourcing partner. Additionally, companies providing outsourcing services need to ensure that they are not implicated in the event that issues arise. In other words, select a good outsource partner and you could be a winner. Select a bad one and you could be out of business. It is not the brand name that should convince you but the quality and experience of the staff that will be responsible for your highly sensitive data.
Compliance and regulatory requirements
Being compliant has become a major focal point for most large organizations, but this for all practical purposes should be a goal for risk management and security in every organization. Regardless of external factors, those responsible for the integrity of the IT environment should be actively involved in ensuring that permanent staff, business partners and contracted staff, who may have privileged user rights, comply with company policies when it comes to handling company assets.
For those organizations that also need to meet public standards, the level of media exposure that has resulted from high-profile cases in the United States means that most people in the IT security arena are familiar with Sarbanes-Oxley, Basel II, 21 CFR Part 11, PCI, Gramm-Leach-Bliley and HIPAA.