Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

2/13/2012
06:01 PM
50%
50%

Avoid Putting IT In A GRC Vacuum

When infosec pros are asked to set security and compliance policies with no line-of-business input, problems are inevitable

While IT personnel should have significant input in developing governance, risk and compliance (GRC) strategies, organizations that depend on the technologists to handle it all themselves are setting themselves up for failure, compliance and risk experts warn.

“We need to get out of the mode of compliance just being the responsibility of the IT organization,” says Scott Laliberte, managing director with security consulting firm Protiviti, who says that gaps inevitably arise when business executives assume IT workers will understand exactly what needs to be locked down to protect the highest priority business interests. "Really getting those two groups together so that the requirements are being identified up front and then it can implement those requirements and controls and also making sure as change is envisioned in the business that the security implications are being thought through." “

According to Glenn Phillips, president of Forte Inc., an audit firm that does IT security and HIPAA assessments, IT should never decide policy or left totally alone to verify procedures.

“Many business leaders think they are delegating IT responsibility because they don't understand it. What they end up really doing is ignoring the people and processes around IT,” he says. “IT is left to set their own rules with little-to-no oversight. And IT may prefer this even though it causes great risk for the business.” A good start to bringing both groups together is to bestow compliance responsibility on a single person or small team, preferably people with cross-pollinated business and technology skills. They can act as a liaison between groups.

“Assign clear compliance responsibility to a specific authority within your organization. And, along with that responsibility, don't forget to give them the authority to actually meet those goals,” says below Jon Heimerl, director of strategic security for consultancy firm Solutionary. “Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process. Understand that no one person can truly understand all compliance requirements of a complex organization, but you must identify what your specific compliance requirements are, and ensure that you have appropriate compliance expertise.”

This liaison can also act as a translator of sorts. According to Laliberte, one of the reasons that IT is usually left to its own devices in devising compliance strategies is that the executives and the technologists never learn to speak the same language.

“Being able to define requirements and risk in terms that both technologists and business personnel can understand is a big one,” he says. “Risk has to be related back to the business.” As line-of-business and technology groups work to cooperate, they’re more likely to succeed if they remember that compliance is a "living" thing, Heimerl says. Neither IT nor business worlds stand still.

“Systems change, people change, your environment changes, so you can’t just get compliant and stay there,” he says. “Enforce change control on your key systems, especially those systems that impact compliance. Monitor your environment to actively watch for changes, as well as for abhorrent behavior, which can serve as indications that something changed that you didn’t see.”

All of these suggestions, of course, are dependent on how upper level management sets the tone for collaboration, Laliberte says.

“Having the senior leadership at the company embracing the need for that governance structure and really making it a significant mandate and a significant priority to the business is probably most important of all,” he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/15/2012 | 6:47:12 AM
re: Avoid Putting IT In A GRC Vacuum
GǣIT is left to set their own rules with little-to-no oversight. And IT may prefer this even though it causes great risk for the business.Gǥ-
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13842
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
CVE-2020-13843
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
CVE-2020-13839
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
CVE-2020-13840
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
CVE-2020-13841
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).