Perimeter
2/29/2012
04:03 PM
50%
50%

It's True: Compliance Can Be Good For Your Business

The best insurance for your organization is often the processes required for compliance

I’ve often thought that many businesses not subject to compliance requirements should still pick one or two compliance standards and become at least informally compliant. While that may seem like a lot of extra, expensive work, if done with thought and prudence, it can be better insurance than anything a company can buy.

Let me explain. Organizations insure their physical assets against loss from fire, theft, and other damage. Most protect their data with a robust backup system. What they most commonly skip is protecting how things get done in the business. Processes and procedures, both technical and operational, are often poorly documented, if documented at all.

If key staff becomes unavailable for any reason, it can be very expensive to determine how they did their job and why they did it that way. “Who knows how to restore the backup?” “How do we add a new user to the accounting system?” There are literally thousands of answers to questions like these that go undocumented.

Across the range of the various compliance standards, the most common element is thorough, current documentation. After all, no one can assess or confirm compliance without the steps, process, or procedure explained in detail. No auditor will accept, “The IT staff said they do this correctly,” as verification the process is done, managed, tracked, and verified.

Current, useful documentation is the answer because inevitably the question will be, “How?” Documentation explains how: how tasks are performed, how often they are performed, how they are tracked, how they are verified, and a host of other “hows.” When done right, this documentation is your operations guide for much of your business. It’s a book of important actions -- the fundamental, essential things for you to do to keep your company on track.

Creating and maintaining such documentation can be an incredibly beneficial project for an organization. I find many companies, especially small and midsize organizations, have almost no idea how their employees do their jobs. In documenting how the work gets done, you’ll unearth a number of surprises: onefficiencies, security problems, redundancies, and even holes.

Creating documentation is really about understanding how things work and recording them. Once recorded, you have a blueprint you can adjust, usually a number of potential efficiencies you can enact, and, ultimately, money you can save.

Now, I will agree that documentation can be taken to an extreme. We’ve all seen companies where the documentation requirements were so involved that people created wasteful and often informal -- and therefore undocumented -- processes to “get around” the overhead of smothering documentation. The best documentation is never going to be the longest document.

Most organizations that are compliant with recognized standards are better businesses. They are more stable, more secure, and more efficient. It is easier to add new staff, understand who to hire, and even easier to sell such a business.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.