Compliance, IT Security and a Clear Conscience
by Calum MacLeod - European Director of Cyber-Ark - Wednesday, 8 August 2007.
However, it is not simply these much publicized standards. Today most countries have regulations in place that are very similar, such as France’s “Loi de Securité Financière”, Germany’s “KonTraG”, the UK’s “Combined Code” and the Netherlands “Tabaksblat Code”, which require a similar level of due diligence when it comes to IT security practices, although there are variations related to the compulsory nature in different countries.

Additionally, many organizations are adopting best practices by implementing standards such as ITIL, and ISO 27001 in order to ensure consistency across their enterprises. From an IT perspective, what all of these regulations have in common is that they require the strengthening of internal controls related to the use of IT systems.

The controls that are specified in most standards are very similar. All deal with the primary threats that exist in the IT environment, focusing on the misuse of privileged accounts, mistakes by privileged users and malfunctions within the IT infrastructure itself, particularly when it comes to the security of highly sensitive information. The IT security group needs to be able to prove which privileged user accessed what system, demonstrate that confidential systems and data could not have been accessed by those who had no rights and that those who have the right are tracked.

The importance of automation in tracking and reporting IT controls cannot be overstated. These tools are important in providing timely alerts by continuously collecting and alerting on events for any critical component within the IT infrastructure. Additionally, they are an important factor in reducing the costs associated with collating the information.

For any organization that must comply with these regulations, it is mandatory that the IT departments comply, and that the IT security department in an organization must be able to demonstrate to the rest of the organization, and to those external parties that monitor the activities, that the effectiveness of IT controls are adequate.

Anyone who has been faced with an audit, either internal or external, can attest to the resource demands that are placed on the IT organization. This can be especially challenging when an organization is present in different geographical locations. The effectiveness of the controls and reporting tools within the IT security departments are critical both to achieving a successful audit, and limiting the amount of resource that is required to deliver the necessary information. Ultimately, you are answering the questions, do you have the important controls in place, have you implemented effective change management and if your access controls are effective – and of course can you prove it.

A major challenge facing organizations today is that regulations do not make allowances for unintentional errors, and human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. Today almost all risk results from internal threats and because many organizations focus their investment in protecting against the external threat, they are often not adequately prepared to protect the internal risks. Today any organization that has an IT infrastructure relies heavily on databases, and database security practices, including everyone and every process that accesses the database, will always be scrutinized very closely by auditors.


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th