Perimeter

2/29/2012
04:03 PM
50%
50%

It's True: Compliance Can Be Good For Your Business

The best insurance for your organization is often the processes required for compliance

I’ve often thought that many businesses not subject to compliance requirements should still pick one or two compliance standards and become at least informally compliant. While that may seem like a lot of extra, expensive work, if done with thought and prudence, it can be better insurance than anything a company can buy.

Let me explain. Organizations insure their physical assets against loss from fire, theft, and other damage. Most protect their data with a robust backup system. What they most commonly skip is protecting how things get done in the business. Processes and procedures, both technical and operational, are often poorly documented, if documented at all.

If key staff becomes unavailable for any reason, it can be very expensive to determine how they did their job and why they did it that way. “Who knows how to restore the backup?” “How do we add a new user to the accounting system?” There are literally thousands of answers to questions like these that go undocumented.

Across the range of the various compliance standards, the most common element is thorough, current documentation. After all, no one can assess or confirm compliance without the steps, process, or procedure explained in detail. No auditor will accept, “The IT staff said they do this correctly,” as verification the process is done, managed, tracked, and verified.

Current, useful documentation is the answer because inevitably the question will be, “How?” Documentation explains how: how tasks are performed, how often they are performed, how they are tracked, how they are verified, and a host of other “hows.” When done right, this documentation is your operations guide for much of your business. It’s a book of important actions -- the fundamental, essential things for you to do to keep your company on track.

Creating and maintaining such documentation can be an incredibly beneficial project for an organization. I find many companies, especially small and midsize organizations, have almost no idea how their employees do their jobs. In documenting how the work gets done, you’ll unearth a number of surprises: onefficiencies, security problems, redundancies, and even holes.

Creating documentation is really about understanding how things work and recording them. Once recorded, you have a blueprint you can adjust, usually a number of potential efficiencies you can enact, and, ultimately, money you can save.

Now, I will agree that documentation can be taken to an extreme. We’ve all seen companies where the documentation requirements were so involved that people created wasteful and often informal -- and therefore undocumented -- processes to “get around” the overhead of smothering documentation. The best documentation is never going to be the longest document.

Most organizations that are compliant with recognized standards are better businesses. They are more stable, more secure, and more efficient. It is easier to add new staff, understand who to hire, and even easier to sell such a business.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8903
PUBLISHED: 2019-02-18
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVE-2019-6453
PUBLISHED: 2019-02-18
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
CVE-2019-8372
PUBLISHED: 2019-02-18
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link an...
CVE-2019-8902
PUBLISHED: 2019-02-18
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.