Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

2/13/2012
06:01 PM
50%
50%

Avoid Putting IT In A GRC Vacuum

When infosec pros are asked to set security and compliance policies with no line-of-business input, problems are inevitable

While IT personnel should have significant input in developing governance, risk and compliance (GRC) strategies, organizations that depend on the technologists to handle it all themselves are setting themselves up for failure, compliance and risk experts warn.

“We need to get out of the mode of compliance just being the responsibility of the IT organization,” says Scott Laliberte, managing director with security consulting firm Protiviti, who says that gaps inevitably arise when business executives assume IT workers will understand exactly what needs to be locked down to protect the highest priority business interests. "Really getting those two groups together so that the requirements are being identified up front and then it can implement those requirements and controls and also making sure as change is envisioned in the business that the security implications are being thought through." “

According to Glenn Phillips, president of Forte Inc., an audit firm that does IT security and HIPAA assessments, IT should never decide policy or left totally alone to verify procedures.

“Many business leaders think they are delegating IT responsibility because they don't understand it. What they end up really doing is ignoring the people and processes around IT,” he says. “IT is left to set their own rules with little-to-no oversight. And IT may prefer this even though it causes great risk for the business.” A good start to bringing both groups together is to bestow compliance responsibility on a single person or small team, preferably people with cross-pollinated business and technology skills. They can act as a liaison between groups.

“Assign clear compliance responsibility to a specific authority within your organization. And, along with that responsibility, don't forget to give them the authority to actually meet those goals,” says below Jon Heimerl, director of strategic security for consultancy firm Solutionary. “Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process. Understand that no one person can truly understand all compliance requirements of a complex organization, but you must identify what your specific compliance requirements are, and ensure that you have appropriate compliance expertise.”

This liaison can also act as a translator of sorts. According to Laliberte, one of the reasons that IT is usually left to its own devices in devising compliance strategies is that the executives and the technologists never learn to speak the same language.

“Being able to define requirements and risk in terms that both technologists and business personnel can understand is a big one,” he says. “Risk has to be related back to the business.” As line-of-business and technology groups work to cooperate, they’re more likely to succeed if they remember that compliance is a "living" thing, Heimerl says. Neither IT nor business worlds stand still.

“Systems change, people change, your environment changes, so you can’t just get compliant and stay there,” he says. “Enforce change control on your key systems, especially those systems that impact compliance. Monitor your environment to actively watch for changes, as well as for abhorrent behavior, which can serve as indications that something changed that you didn’t see.”

All of these suggestions, of course, are dependent on how upper level management sets the tone for collaboration, Laliberte says.

“Having the senior leadership at the company embracing the need for that governance structure and really making it a significant mandate and a significant priority to the business is probably most important of all,” he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/15/2012 | 6:47:12 AM
re: Avoid Putting IT In A GRC Vacuum
GǣIT is left to set their own rules with little-to-no oversight. And IT may prefer this even though it causes great risk for the business.Gǥ-
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .