Compliance and regulatory requirements
Being compliant has become a major focal point for most large organizations, but this for all practical purposes should be a goal for risk management and security in every organization. Regardless of external factors, those responsible for the integrity of the IT environment should be actively involved in ensuring that permanent staff, business partners and contracted staff, who may have privileged user rights, comply with company policies when it comes to handling company assets.
For those organizations that also need to meet public standards, the level of media exposure that has resulted from high-profile cases in the United States means that most people in the IT security arena are familiar with Sarbanes-Oxley, Basel II, 21 CFR Part 11, PCI, Gramm-Leach-Bliley and HIPAA.
However, it is not simply these much publicized standards. Today most countries have regulations in place that are very similar, such as France’s “Loi de Securité Financière”, Germany’s “KonTraG”, the UK’s “Combined Code” and the Netherlands “Tabaksblat Code”, which require a similar level of due diligence when it comes to IT security practices, although there are variations related to the compulsory nature in different countries.
Additionally, many organizations are adopting best practices by implementing standards such as ITIL, and ISO 27001 in order to ensure consistency across their enterprises. From an IT perspective, what all of these regulations have in common is that they require the strengthening of internal controls related to the use of IT systems.
The controls that are specified in most standards are very similar. All deal with the primary threats that exist in the IT environment, focusing on the misuse of privileged accounts, mistakes by privileged users and malfunctions within the IT infrastructure itself, particularly when it comes to the security of highly sensitive information. The IT security group needs to be able to prove which privileged user accessed what system, demonstrate that confidential systems and data could not have been accessed by those who had no rights and that those who have the right are tracked.
The importance of automation in tracking and reporting IT controls cannot be overstated. These tools are important in providing timely alerts by continuously collecting and alerting on events for any critical component within the IT infrastructure. Additionally, they are an important factor in reducing the costs associated with collating the information.
For any organization that must comply with these regulations, it is mandatory that the IT departments comply, and that the IT security department in an organization must be able to demonstrate to the rest of the organization, and to those external parties that monitor the activities, that the effectiveness of IT controls are adequate.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.