THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
When developing policies and standards for any company, the question always comes up with Senior Management, “how will we manage all of these policies?” This is a question that should be answered prior to starting any compliance project. As various standards will have different requirements and the company may have to change its process to be compliant with those new processes. Whether the company wants to streamline the process, or if they want to do their own thing, its important for the IT Security Pro to strike a balance. Compliance Requirements Compliance has many facets that the IT Security Pro will have to navigate through the course of their career. Companies of all sizes may decide to pursue a compliance standard, or they may be required to do so by the nature of the business that they are in. Whatever the reason, compliance standards will suggest or recommend certain features. This requirement should be clearly communicated to all of the stakeholders in advance. Having an IT Security Program is more than having a few policies that address security related issues, its also adhering to the standard and having the specific required documentation in the manner prescribed by that standard. Whether it is having the Information Security Management System (ISMS) as prescribed by ISO 27001:2013, SOC2 Compliance Checklist, or even NIST’s Cyber Security Framework, each on will have specific requirements for the business to follow to be “compliant with the standard”. Designated Compliance Structures An area of focus that all the above compliance standards have in common is that there will be a structure as to how the new policies or standards are to be managed. While how the company goes about this is left to be determined by the standard, the business may have several courses of action in this area. Whether it is designating or using a central document repository or some other mechanism, the business should determine this prior to moving forward with any compliance standard. Policy Development IT Security standards are notorious for having multiple areas of focus or requirement what seems to be multiple documents for the same thing. While this may seem to be the case on the outset, this granularity provides a robust in complex set of requirements for IT staff and security staff to follow. Additionally, these requirements help to outline how the policy will be affected when it is implemented by the business With a list of controls outlined in the standard, these can be correlated into a checklist that allows for the quick determination of whether the control is in place, or if it may be missing. Auditors can quickly and accurately determine if this is a major finding, or if it is something that will allow the business to continue with the audit in order to determine its compliance with the designated standard. These policies or documents may have multiples that address various aspects of the same policy. Common Hurdles
Some common hurdles at the IT Security Pro will face when implementing new policies and standards for the business are the following: • There are too many policies to keep track of. • Do we really need all these policies? • Are all these policies and documents required by the standard? • How detailed do we have to get for an auditor? • This is too complicated to keep track of. All these areas are common misconceptions about how to manage IT Security policies. Whether the refrain is given by a stakeholder or an employee, its important for the IT Security Pro to understand that these are roadblocks that will need to be overcome if there are going to be an adherence to the defined standard. Centralized Management Providing a central location for the management of IT security policies allows for these policy's to be reviewed and approved on an annual basis per (this is the current best practice by most IT security standards) and allows for the centralized management of these policies. IT security continues to evolve, and change based on the number of threats, changes in technology, or governmental regulatory requirements. Summary There are many benefits for managing IT security policies from one location, whether it is the management of those policies, or keeping these readily accessible to review. In most cases IT Security policies are living documents (and will need to change and be updated in accordance with current best practices or changes within the business itself). Additionally, having a designated individual role that reviews and updates these policies on a regular basis is a requirement of most of the current list of IT Security related standards. While having over a hundred designated controls may seem like a daunting task for a business to comply with but having those policies that address these specific controls in multiple areas of the organization is an even more daunting task. Let alone keeping track of them in a coherent manner. Developing and implementing IT Security policies is an area that an IT Security Pro may spend a lot of their time during the course of a year, but it is also one of the most rewarding as well. Comments are closed.
|
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|