What Do Information Security and Swiss cheese have in common? Both have holes in their design.Rajesh Unadkat
The Central Problem for Information Security Professionals
With the proliferation of BYOD devices, SaaS, social media, and mass proliferation of data & file sharing; IT organizations have lost control over the ability to lock down their networks and user devices. The result is that security has morphed from keeping “bad stuff out” to figuring out how to keep “our stuff in.” As a result, information security is highly dependent upon information governance and users following IT’s lead in protecting corporate data, IP, customer data, systems, and assets. Even more difficult is the ability to also enforce information security onto vendors where the ability to control is even more removed.
Does your organization care?
Is this you? “We don’t have a system to simplify the IT security policy compliance management of our employees and vendors sufficient to pass a rigorous audit with confidence.” There is a big difference between saying that you’re compliant, being compliant, and proving you’re compliant.
Getting people outside of IT security to follow compliance requirements around protecting business, intellectual property, and its data is really difficult as people see it as an intrusion into their jobs and feel it is an additional burden and an annoyance. However, what they feel is an annoyance is actually opening the company up to risk; loss of IP, data breeches, audit failures, and potential lawsuits.
Getting corporate buy-in for adoption of critical components of a good IT security compliance program is critical for implementing a good people-centric IT security program. You need your end-users to engage to effectively leverage a proper framework for policy management, SOP training, and a regular security assessment regime to protect the business on top of the data and network governance.
What areas do we see as the problem children for IT Security when it comes to dealing with end-user employees and vendors?
These are all soft vulnerabilities that they can’t just automate and forget. They are dependent on users being smart about what they connect to the network, how they access, and what they do with corporate data. Here is a short list that we know keeps you up at night:
- Weak User Password Security
- BYOD Mobile Devices Security
- Unauthorized Network Access
- Application Data Breeches
- Rogue Apps
- Shadow IT
- Employees Accessing Unauthorized Websites
- File Sharing Vulnerabilities
- Customer Data Access
- Financial Data Access
- Employee Personal Data
- Corporate IP Proliferation
Can you prove it during an audit?
How do you actually manage compliance around Policies, Controls, Assessments, Training, Incidents, and Auditing? Your IT security policy compliance is only as good as your:
Do you have the urgency to improve your IT security compliance posture now?
- Increased regulatory changes?
- Prevalence of breeches scaring senior management?
- Seeing more urgency from management for risk visibility?
- Are your executives worried about personal liability sign-offs?
- Are you seeing business growth, increased centralization, or organizational standardization requirements?
- Any new customer contractual requirements for IT security?
Do you have an issue that we can solve?
- Manage the people side of IT security compliance on top of their data and application level security policy enforcement tools to lock down potential business threats – policies, SOPs, controls, training, recertification, assessments, onboarding new vendors, documentation, etc.
- Enable your employees and vendors’ stakeholders to aid in adoption of compliance programs to protect the integrity of the data, systems, and processes of the business for strong auditing defense by leveraging and engaging stakeholder ecosystem to improve the security posture of the business.
- Simply demonstrate forensic accountability with audit trails, certified acceptance, and demonstrable implementation of controls, along with a continuous improvement loop between reported incidents, remediation, and user training.
- Provide business users with added benefits in standardizing, documenting, and collaborating around easy-to-win policy frameworks as a foundation for an IT security compliance program; which needs to also have a clear regular assessment regime with definitive incident, severity, and escalation processes that encourage users to report violations.
Granted, we are a little biased, but this is what we think is important in looking for a GRC (Governance Risk and Compliance) platform for IT Security, Information Governance, and Vendor Management:
- Flexibility to meet most of your different GRC use cases on the same platform. Numerous use cases are deployed by our clients across the globe addressing compliance, risk management, third-party & vendor management, policy management, and internal and external audits.
- Time to configure in days and weeks versus months as Aruvio is configurable with a business analyst rather than requiring custom software development for most changes.
- Simplified adoption of Aruvio’s GRC platform provides core modular GRC functionality allowing you to rollout your GRC programs capabilities without overwhelming your end-users with adoption-killing feature bloat.
- Scalable, mature platform built on Salesforce.com with inherent enterprise-class security, scalability, and capabilities.
Helping to Make the Case
We have also curated a sampling of articles for your perusal as validation to this problem. The results were that it is an overwhelming major problem for IT departments: