Perimeter
2/29/2012
04:03 PM
50%
50%

It's True: Compliance Can Be Good For Your Business

The best insurance for your organization is often the processes required for compliance

I’ve often thought that many businesses not subject to compliance requirements should still pick one or two compliance standards and become at least informally compliant. While that may seem like a lot of extra, expensive work, if done with thought and prudence, it can be better insurance than anything a company can buy.

Let me explain. Organizations insure their physical assets against loss from fire, theft, and other damage. Most protect their data with a robust backup system. What they most commonly skip is protecting how things get done in the business. Processes and procedures, both technical and operational, are often poorly documented, if documented at all.

If key staff becomes unavailable for any reason, it can be very expensive to determine how they did their job and why they did it that way. “Who knows how to restore the backup?” “How do we add a new user to the accounting system?” There are literally thousands of answers to questions like these that go undocumented.

Across the range of the various compliance standards, the most common element is thorough, current documentation. After all, no one can assess or confirm compliance without the steps, process, or procedure explained in detail. No auditor will accept, “The IT staff said they do this correctly,” as verification the process is done, managed, tracked, and verified.

Current, useful documentation is the answer because inevitably the question will be, “How?” Documentation explains how: how tasks are performed, how often they are performed, how they are tracked, how they are verified, and a host of other “hows.” When done right, this documentation is your operations guide for much of your business. It’s a book of important actions -- the fundamental, essential things for you to do to keep your company on track.

Creating and maintaining such documentation can be an incredibly beneficial project for an organization. I find many companies, especially small and midsize organizations, have almost no idea how their employees do their jobs. In documenting how the work gets done, you’ll unearth a number of surprises: onefficiencies, security problems, redundancies, and even holes.

Creating documentation is really about understanding how things work and recording them. Once recorded, you have a blueprint you can adjust, usually a number of potential efficiencies you can enact, and, ultimately, money you can save.

Now, I will agree that documentation can be taken to an extreme. We’ve all seen companies where the documentation requirements were so involved that people created wasteful and often informal -- and therefore undocumented -- processes to “get around” the overhead of smothering documentation. The best documentation is never going to be the longest document.

Most organizations that are compliant with recognized standards are better businesses. They are more stable, more secure, and more efficient. It is easier to add new staff, understand who to hire, and even easier to sell such a business.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3157
Published: 2015-07-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2015-3443
Published: 2015-07-02
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the password mask.

CVE-2015-4228
Published: 2015-07-02
Cisco Digital Content Manager (DCM) 15.0.0 might allow remote ad servers to cause a denial of service (reboot) via malformed ad messages, aka Bug ID CSCur13999.

CVE-2015-4233
Published: 2015-07-02
SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuu54037.

CVE-2015-4238
Published: 2015-07-02
The SNMP implementation in Cisco Adaptive Security Appliance (ASA) Software 8.4(7) and 8.6(1.2) allows remote authenticated users to cause a denial of service (device reload) by sending many SNMP requests during a time of high network traffic, aka Bug ID CSCul02601.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report