Compliance, IT Security and a Clear Conscience
by Calum MacLeod - European Director of Cyber-Ark - Wednesday, 8 August 2007.
Never has the need to prove compliance with external regulations and internal policies been more acute than it is today. The likely consequences of failing to prove that your organization is compliant and that you are strictly adhering to your own policies can be significant, up to and including possible criminal penalties for top corporate executives. And the buck doesn’t stop there. Anyone who is familiar with the Enron story may also remember that it resulted in the once grand Arthur Andersen being brought to its knees, illustrating the thoroughness that external auditors will apply to ensure that they are not implicated.

Organizations today must prove beyond a shadow of a doubt that not only do they have a security program in place, but that it is enforced and is consistent across your organization. Information technology departments play a key role in this endeavor. Shortcomings in IT policies can have potentially serious consequences.

Research by Gartner has shown that 65 percent of all successful computer attacks take advantage of badly configured systems such as use of out-of-the-box default conditions, configuration of user accounts that have privileged rights, simple configuration errors or unscrupulous system administrators. If that’s not bad enough another in a recently published survey conducted by the U.S. Secret Service together with Carnegie Mellon University’s Software Engineering Institute CERT Program found that eighty-six percent of people who carried out insider sabotage held technical positions and ninety percent had system administrator or privileged system access – which meant they held the passwords to override the system and access the network.

No matter how secure a system may be, if the controls to access that system are not adequate, eventually this will be exposed. A recent Audit Commission report in the UK highlighted that problems are frequently a result of poor access controls that inevitably increase the risk of accidental damage and deliberate abuse. Instances such as the failure of management to escort disgruntled employees from buildings and remove all IT system access facilities have resulted in such staff having the time and opportunity to vent their anger on the organization and cause major disruptions. Interestingly, the report found the main reasons for breaches were ineffective policies, and the failure to enforce policies.

There are also many misconceptions about regulatory compliance for outsourcing. For example if your company has outsourced management of its IT infrastructure, the responsibility of compliance still rests with your company, not its outsourcing partner. Additionally, companies providing outsourcing services need to ensure that they are not implicated in the event that issues arise. In other words, select a good outsource partner and you could be a winner. Select a bad one and you could be out of business. It is not the brand name that should convince you but the quality and experience of the staff that will be responsible for your highly sensitive data.

Compliance and regulatory requirements

Being compliant has become a major focal point for most large organizations, but this for all practical purposes should be a goal for risk management and security in every organization. Regardless of external factors, those responsible for the integrity of the IT environment should be actively involved in ensuring that permanent staff, business partners and contracted staff, who may have privileged user rights, comply with company policies when it comes to handling company assets.

For those organizations that also need to meet public standards, the level of media exposure that has resulted from high-profile cases in the United States means that most people in the IT security arena are familiar with Sarbanes-Oxley, Basel II, 21 CFR Part 11, PCI, Gramm-Leach-Bliley and HIPAA.

Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //