AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY

Monday, May 18, 2009

The Checklist Approach to IT Security is Failing You

In the past few weeks I have spoken to a number of companies about IT security, and a familiar theme has emerged – too many companies lack a sound framework for overall IT security. Instead many companies are overly focused on completing a check list – firewall, encryption, PCI compliance.

This checklist approach to security is not only dangerous; it can also be expensive and difficult to effectively manage. Companies should move quickly to adopt an IT security framework. ISO 27001 is a good one.

What is ISO 27001?

It is a standard outlining the requirements for an Information Security Management System (ISMS). It helps identify, manage and quantify the range of threats to critical corporate-controlled information.

Compliance with this standard shows customers, partners, employees and other constituents that information security is being taken seriously and that effective steps are in place to manage security at every level – not with a piecemeal approach.

Information Security affects the very core of any business. Personal information, customer records, financial information and intellectual property must be protected from loss, theft and damage. The ISO 27001 provides the controls and processes necessary to protect core business needs.

As well as delivering security improvements, auditing your processes has additional, valuable benefits:

• Cost Savings - the cost of a single information security breach can be significant.
• Commitment - registration helps to ensure and demonstrate commitment at all levels of the organization.
• Credibility, trust and confidence - customers can feel confident of your commitment to keeping their information safe.
• Compliance - registration helps to show the authorities that you comply with the relevant laws and regulations.

Is it relevant to you? It's relevant to every business.

This standard can become the foundation of any company's IT security strategy. The framework and processes deployed can be tuned to reflect different business needs. The value of information is different for every company large or small. For example large organizations such as financial and government institutions will often hold detailed information on millions of customers, individuals or businesses. Keeping that information both secure from theft but accessible for day-to-day use can be conflicting requirements. A smaller organization may value a single customer record very highly. Whatever the size of the company or the sensitivity of the date, effective processes can ensure more responsible use of data.

Have you been able to find a balanced approach to managing information security risk via ISO27001?

LABELS:

Compliance,

PCI,

Security,

Tim Trow

Post a Comment

BLOG ARCHIVE

• 2010 (5)
  • March (1)
    • Why HP is Worried about Third Party Maintainers
  • February (1)
    • Has the Sun Set on Flexible Support Options?
  • January (3)
    • You Inherited Your Cisco Infrastructure, But Do You Know Why You are Still Buying It?
    • Your Workers are Surfing While Snacking on a Big Mac - Time to Revisit Managing Your End-Point.
    • Ensuring Security in the Virtualized Environment
• 2009 (34)
  • December (1)
    • Monitoring Via the Cloud
  • November (2)
    • Sun Makes More Changes Amid Uncertainty
    • Sky High Cloud Chatter
  • October (2)
    • Improving Vulnerability and Patch Management
    • A Couple Quick and Easy Green IT Steps
  • September (3)
    • Don’t Put off Until Tomorrow…
    • Boston's Missing Email Case Has Many People Asking Questions about Digital Forensics
    • IT Needs Turbo Compliance
  • August (3)
    • Take Full Advantage of System Monitoring
    • Implement, educate and enforce strict Social Media usage policies – in that order
    • Preparing for a Return to Growth? It’s Not Too Soon to Make Process Improvements
  • July (2)
    • Death by A Thousand Processes: Getting Compliance Right Requires a Change in Thinking
    • Wrest Control of Your Data Center Back From the OEM
  • June (3)
    • Getting Ready for Cloud Computing
    • A Letter to Ralph Szygenda, the CIO of General Motors
    • Lax Web Site Security: The Site Owner's Responsibility
  • May (3)
    • The Checklist Approach to IT Security is Failing You
    • Financial Strength of Your Vendors…Show Me the Money!
    • PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
  • April (4)
    • The Near-Term Impact of Oracle Buying Sun
    • On the Path to the Cloud... Walk Before You Run
    • CIOs Need to Manage Up, Broadcast Successes
    • Consolidate Support Vendors?
  • March (4)
    • A Potential Sun Acquisition - Impact on Service
    • April 14 is Decision Day for Those Running Microsoft Exchange 2003
    • HIPAA Revitalized in 2009 and Beyond
    • Ten Steps for the Mass Data Security Law
  • February (7)
    • Tightening Budgets and Their Impact on IT Security
    • Recent Breaches Remind us to Focus on Security
    • The Training You Need Vs. The Training You Receive
    • Emphasizing Virtualization Security
    • DNS Audits: A Practical Guide
    • Practical Green IT
    • "Practical Use" Fills the Gap Between Idea and Implementation

BLOGS WE LIKE

• CIO - Blogs and Discussion - Best Practices
• InformationWeek’s Global CIO Weblog