Published/updated: May 2011
Every IT professional recognises the importance of securing the IT systems on which critical business processes now depend. It is even true to say that business users themselves are beginning to realise that while external drivers such as compliance with regulatory pressures, securing corporate data and protecting a company’s brand are essential aspects of what we might term “IT security”, the true importance is apparent in everyday operations.
This recognition places greater stress on the overall governance strategies that organisations need to ensure that data is secured effectively. It is also a fact that many organisations are looking continuously to deploy updated services, and to make use of an ever-growing range of tools and devices. Against this background, there is growing pressure to ensure that sensitive data is protected, wherever it is held or processed.
The question for many IT professionals is which laws, regulations and company compliance measures apply to the systems they run and the data they hold? The answer can be difficult to find unless you happen to be a legal professional specialising in this area.
While there are certain measures that apply to almost every organisation, such as the EU data protection requirements and its international equivalents, there can be subtle local differences in interpretation of how compliance should be achieved. At the same time, there is a plethora of laws and regulations that may apply geographically or by industry vertical. Organisations cannot pick and chose to comply with only the “most important” as the PR challenges caused by any breach can be calamitous. Ignorance of the law is never an excuse that works with judge, jury or the general court of public perception.
Perhaps the most obvious starting point is to raise the profile of the solutions at the heart of good systems management infrastructures. Among these are identity management, asset management and data classification solutions.
Of these, identity management is the tool with the most obvious direct connection to securing IT operations and services. But few organisations have implemented identity management policies and solutions that manage to span the entire infrastructure. Even fewer have policies or tools in place capable of working with identities of individuals outside the organisation who may require access to corporate information.
This raises the question of how organisations can work to secure data appropriately. We know that more and more sensitive corporate data is being held outside core central storage platforms, on laptops and a rapidly expanding range of devices such as smartphones and tablet systems. Unless the organisation has some means, be they manual or automated, of establishing the sensitivity of data held on such machines it is a difficult task to ensure that sensitive data is adequately secured, for example, by encryption and key management solutions.
With many nations already moving to increase the penalties for data loss and data breaches, organisations are going to have to take steps to protect sensitive information. This is an area where the solutions available are still developing, but with new disclosure legislation looking likely in various countries, and with organisations themselves slowly recognising the real value of the data they hold, this is an area where vendors are likely to invest heavily.
In fact, when starting out many organisations are adopting broad brush approaches to data protection as their first step. For example, rather than attempting to undertake sophisticated data classification projects they may decide to implement encryption across all mobile devices. If these go well then more limited file-based encryption and DRM may have roles to play.
But it is also essential to ensure that each and every user has access to only the data they need to do their job. It is even more important to ensure that every individual understands how important it is to look after sensitive data and the devices on which it is held. Our research and experience shows that proper and continuously refreshed training of users has the biggest impact in keeping sensitive information safe. This raises the challenge of how IT can establish which management tools can help to secure operational services. And indeed, to whom one can turn for advice.
This latter point is especially important when considering governance in relation to the increasing burden of compliance. Regulatory and external compliance requirements certainly have the potential to put extra pressure on IT professionals to use systems to help the organisation meet its obligations. Hence, the problem for many IT staff, who are not usually legal eagles, becomes one of trying to define the framework in which the governance regime must fit.
The next step is to translate the framework requirements into practical management policies. But getting to this stage needs input from those with knowledge of the compliance drivers and the business requirements, preferably translated into language that mere mortals can comprehend, and pointing the management tools at exactly what needs to be administered.
The obvious answer would be either specialist staff from a compliance monitoring role within the business or external consultants. Equally, there is a place for the IT vendors themselves and their channel partners to advise on how their solutions can address the challenges defined by the policymakers. There are also some independent forums and consultants who specialise in security solutions, of which the Jericho Forum is worthy of mention.
Whatever approach you take, one thing is clear: organisations cannot pick and choose when looking at compliance with regulatory requirements, national and international laws. It is about finding out which apply and then prioritising how to meet the requirements and obligations.
CLICK HERE TO VIEW ORIGINAL PUBLISHED ON
By Dale Vile & Jack Vile
By Dale Vile & Jack Vile
Making the right technology investments in today’s fast moving digital age can mean the difference between success and failure in pretty much any industry. But how well are decisions are actually being made in this space? ...more
By Dale Vile
Some argue that IT operations doesn’t matter anymore; it’s all about developers. Our aim in this paper is to re-balance the discussion based on research in which feedback was gathered from over 400 European IT professionals. ...more
By Dale Vile & Jack Vile
We often hear that cloud computing dramatically reduces the need for in-house IT teams, and might even lead to their ultimate demise. The research reported here provides a very different view based on analysis of real business objectives and actual experience. ...more
By Dale Vile & Jack Vile
As technology becomes smarter, more opportunities arise to exploit AI, machine learning and other forms of intelligent systems to drive efficiency and transformation. But what’s the impact on IT teams? ...more
By Tony Lock
Have we all been caught asleep at the capacity planning wheel? Business users today want, and expect new IT services to be delivered in the blink of an eye, the necessary resources provisioned instantly, and changes made “on demand”. ...more
By Dale Vile and Tony Lock
It’s easy to be caught out by a cyber attack or internal mistake that leads to your customers’ data or important intellectual property ending up on the black market. Making sure your business is adequately protected and is able to respond effectively ...more
By Dale Vile, Tony Lock & Jack Vile
Application programming interfaces (APIs) have been around for decades. In the early days of IT they were primarily used to give programmers convenient access to libraries of prebuilt functions. As systems became more distributed, APIs found their place ...more