Subscribe
Sectors
Companies
About
  • Home
  • /
  • Security
  • /
  • Security regulations: the IT department's coming-out party

Security regulations: the IT department's coming-out party

By Ulrich Weigel for 10NET ICT Solutions
Johannesburg, 02 Jul 2007

From an IT security point of view, South Africa is not heavily mandated. There are some local regulations, such as Basel II, and for some there are the international regulations that they must comply with.

But, the problem with regulations is they provide no specific roadmaps for IT departments on what technologies to employ, what processes to deploy and how to manage the entire shift.

But regulations need not be a vague collection of pain points for IT departments to worry about. With executives aware of the ramifications for failing to comply with legislation, new and emerging regulations are also a perfect way for IT departments to come out and get the budget they always wanted.

Budget not wasted on discovering requirements

IT departments need not spend any of that welcome budget on discovering how to meet vague security requirements. IT vendors have already done a great deal of the groundwork. Customers can tap into the vendors' efforts through white papers, technical experts and the vendors' internal systems: they must also comply with regulations.

The most common problem that customers face is reporting their IT security compliance to executives. There are consultants who will do it for them, but since companies will be required to report compliance every year, it is a far better idea to automate the process as much as possible. For most companies, it will save a great deal of time and expense.

Reporting is a key ingredient to automation's success. Different executives have different mandates, and the technical and executive roles seldom mix well. One solution is Web-based reporting, categorised by role.

Appropriate access will allow people to interrogate it and quickly get to the information that matters to them. Above all, the system must divulge answers to questions that business users will pose. A colour-coded bar works well for a broad overview. But clicking on it should allow the executive to interrogate the criteria from which that bar is derived. Consider, too, that auditors will need to investigate the reports, and if they find it difficult, it will negatively impact the company's rating.

Policies the next challenge

The next challenge for organisations embarking on a compliance reporting project is policies. They must govern everything that employees do and link into governance, legal and HR mandates.

The key to success is good management and regular updates. While some organisations will write their own policies, most will contract consultants because, while it may not at first glance appear so, it requires specialist knowledge and skills.

Managing policies can be tricky. One component is ensuring that people read them, understand them and act on them. Since IT security policies are not integral to most employees' jobs, and since many employees are pressed for time, policy documents regularly achieve a low status on priority lists. They are seldom even read, let alone acted on.

People cannot be patched. Anyone who wants to make responsible employees and managers part of the security system must win them over and equip them with knowledge.

Every employee with access to company data is effectively part of the IT supply chain and must implement the predetermined security policies. Even the team assistant is affected by security policies; anyone sending e-mails should be able to recognise phishing. The only way to deal with external threats in a sustained manner is to shift security know-how from the IT department's security ivory tower into the heads and consciousness of all employees.

Getting people to read the security policies is easy. Making them sign off that they have read and understood them and then take a quiz on the documents will ensure it. A Web-based tool can be used for ongoing training. This ensures people don't forget about security; that it remains top of mind.

From ivory tower to trenches

Regulations may at first appear to hinder IT security, since they place an overhead on the entire company, not just the IT department; but the regulations came about because there was a need to secure the corporate world.

If the regulations take security from the IT department's ivory tower and place it into every single office and cubicle, then regulations are not a hindrance.

Any organisation that makes security everyone's problem will reduce its exposure to risk.

*10Net ICT Solutions distributes Attachmate's NetIQ security products in South Africa.

Share

10Net

10Net is a value-added distributor focusing on solutions in the areas of Web and e-mail content filtering, performance and availability management, security management, configuration and vulnerability management, operational change control, active directory management, full Internet and mobile security. Most of these solutions integrate through an open, service-oriented architecture that enables common reporting, analytics and dashboarding. Organisations can thus reduce system and security risks by analysing, securing and optimising their IT infrastructure. The combined product range from vendors such as Marshal, Attachmate NetIQ and BullGuard enables 10Net to provide integrated systems and security management solutions.

Editorial contacts

Karen Heydenrych
Predictive Communications
(011) 608 1700
Karen@predictive.co.za
Riaan Otto
10NET ICT Solutions
(011) 783 7335
riaan@10net.co.za