• Search

• Categories

  • Change Management
  • Company News
  • Industry Observations
  • Information Security
  • ITAM (Asset Management)
  • ITIL and Service Management
  • RFID
  • Software License Compliance

• Recently Written

  • Managing mobile assets – making it part of your ITAM program
  • Keep an Eye on the Hardware Lifecycle
  • Managing mobile assets – bills
  • Managing mobile devices – email addresses
  • Managing mobile assets - contracts
  • Managing mobile devices - applications
  • Managing mobile assets - SIM cards
  • Managing mobile assets – risks
  • Retiring software assets
  • Quick tips on keeping software licenses organized & updated

• Blogroll

  • Miro Consulting

• Subscription

  •  Blog Articles
  •  Subscribe by Email
  • 

• Archives

  • July 2010
  • June 2010
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • February 2008
  • January 2008
  • December 2007

• Members

  • Log in

Non-compliance with regulators and software vendors welcomes a host of problems - fees, lawsuits, bad publicity, in addition to security issues. Technology is the basis of the business world, and with every new program, internet browser and social network, come new security risks. The inability to control IT environments is a major problem for those organizations that do not plan and implement security policies effectively. The healthcare industry, for example, is at greater risk because they house data that needs to be protected from prying eyes. This is why, most healthcare companies, have strict firewalls for employees, often not even allowing internet access to sites outside those needed to run the business. This is just another reason why IT Governance is a necessity for all businesses, in any industry, to protect themselves. Whether it is a hacker or a virus accidentally downloaded by an employee, these errors can cost hundreds of thousands of dollars and be detrimental to your business.

Along with a strict set of policies and procedures, we recommend only giving employees access to what they absolutely must have for their job role. When access is granted above and beyond the call of duty that is where trouble starts. Not only does it cut down on productivity, it opens up the organization to outside threats such as worms or Trojans, malware, spyware, etc. Internal controls are the key to monitoring usage by employees and protecting the business from unnecessary expenses due to security threats.

Security professionals often face challenges from both ends of the stick — internal audit staff and external auditors. Further straining this relationship is the Qualified Security Assessors (QSAs). Although this sometimes can seem as a threat, my advice is to make nice - it will benefit both your and the QSA’s mission, and make the whole process go more smoothly. When the QSA comes into your organization they are looking for a few things: that each of your controls work as intended, that all risk has been identified with appropriate controls in place, and that you have documentation that all actions were carried out properly.

Additionally, here are some tips about working with auditors for those of you out there who will go through this process:

1.       Document everything - from measures to reduce risk AND when you decide to accept risk

2.       Embed controls and control objectives in the security architecture

3.       Don’t get “cocky” - don’t overstate or underestimate the degree of confidence you have in your controls and mitigations. If you over exaggerate in one instance, the auditor will second guess everything.

No matter how great your security framework and controls are, if the proper employee training and education program isn’t in place, it won’t be effective. Here are some basic tips for a successful program that goes beyond telling employees not to open emails from people they do not know.

Establish rules for how to handle confidential information and educate your employees about them:

• Provide ongoing education on policies and procedures
• Provide clear information about who to contact should they come across a security threat or risk
• Execute group-specific training programs. For example - educate finance staff on fraud detection

Once all of the action items have been put in place, you will need to create a measurement system to determine whether or not it’s actually working. This may be difficult, as your employees are now more aware of what a threat is, and there may be an increase in reporting. The end result of an effective employee security awareness program is compliance and a lack of disastrous incidents.

Next Page →