Perimeter
2/29/2012
04:03 PM
Connect Directly
RSS
E-Mail
50%
50%

It's True: Compliance Can Be Good For Your Business

The best insurance for your organization is often the processes required for compliance

I’ve often thought that many businesses not subject to compliance requirements should still pick one or two compliance standards and become at least informally compliant. While that may seem like a lot of extra, expensive work, if done with thought and prudence, it can be better insurance than anything a company can buy.

Let me explain. Organizations insure their physical assets against loss from fire, theft, and other damage. Most protect their data with a robust backup system. What they most commonly skip is protecting how things get done in the business. Processes and procedures, both technical and operational, are often poorly documented, if documented at all.

If key staff becomes unavailable for any reason, it can be very expensive to determine how they did their job and why they did it that way. “Who knows how to restore the backup?” “How do we add a new user to the accounting system?” There are literally thousands of answers to questions like these that go undocumented.

Across the range of the various compliance standards, the most common element is thorough, current documentation. After all, no one can assess or confirm compliance without the steps, process, or procedure explained in detail. No auditor will accept, “The IT staff said they do this correctly,” as verification the process is done, managed, tracked, and verified.

Current, useful documentation is the answer because inevitably the question will be, “How?” Documentation explains how: how tasks are performed, how often they are performed, how they are tracked, how they are verified, and a host of other “hows.” When done right, this documentation is your operations guide for much of your business. It’s a book of important actions -- the fundamental, essential things for you to do to keep your company on track.

Creating and maintaining such documentation can be an incredibly beneficial project for an organization. I find many companies, especially small and midsize organizations, have almost no idea how their employees do their jobs. In documenting how the work gets done, you’ll unearth a number of surprises: onefficiencies, security problems, redundancies, and even holes.

Creating documentation is really about understanding how things work and recording them. Once recorded, you have a blueprint you can adjust, usually a number of potential efficiencies you can enact, and, ultimately, money you can save.

Now, I will agree that documentation can be taken to an extreme. We’ve all seen companies where the documentation requirements were so involved that people created wasteful and often informal -- and therefore undocumented -- processes to “get around” the overhead of smothering documentation. The best documentation is never going to be the longest document.

Most organizations that are compliant with recognized standards are better businesses. They are more stable, more secure, and more efficient. It is easier to add new staff, understand who to hire, and even easier to sell such a business.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio