Perimeter

2/29/2012
04:03 PM
50%
50%

It's True: Compliance Can Be Good For Your Business

The best insurance for your organization is often the processes required for compliance

I’ve often thought that many businesses not subject to compliance requirements should still pick one or two compliance standards and become at least informally compliant. While that may seem like a lot of extra, expensive work, if done with thought and prudence, it can be better insurance than anything a company can buy.

Let me explain. Organizations insure their physical assets against loss from fire, theft, and other damage. Most protect their data with a robust backup system. What they most commonly skip is protecting how things get done in the business. Processes and procedures, both technical and operational, are often poorly documented, if documented at all.

If key staff becomes unavailable for any reason, it can be very expensive to determine how they did their job and why they did it that way. “Who knows how to restore the backup?” “How do we add a new user to the accounting system?” There are literally thousands of answers to questions like these that go undocumented.

Across the range of the various compliance standards, the most common element is thorough, current documentation. After all, no one can assess or confirm compliance without the steps, process, or procedure explained in detail. No auditor will accept, “The IT staff said they do this correctly,” as verification the process is done, managed, tracked, and verified.

Current, useful documentation is the answer because inevitably the question will be, “How?” Documentation explains how: how tasks are performed, how often they are performed, how they are tracked, how they are verified, and a host of other “hows.” When done right, this documentation is your operations guide for much of your business. It’s a book of important actions -- the fundamental, essential things for you to do to keep your company on track.

Creating and maintaining such documentation can be an incredibly beneficial project for an organization. I find many companies, especially small and midsize organizations, have almost no idea how their employees do their jobs. In documenting how the work gets done, you’ll unearth a number of surprises: onefficiencies, security problems, redundancies, and even holes.

Creating documentation is really about understanding how things work and recording them. Once recorded, you have a blueprint you can adjust, usually a number of potential efficiencies you can enact, and, ultimately, money you can save.

Now, I will agree that documentation can be taken to an extreme. We’ve all seen companies where the documentation requirements were so involved that people created wasteful and often informal -- and therefore undocumented -- processes to “get around” the overhead of smothering documentation. The best documentation is never going to be the longest document.

Most organizations that are compliant with recognized standards are better businesses. They are more stable, more secure, and more efficient. It is easier to add new staff, understand who to hire, and even easier to sell such a business.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.