The problem with regulations is that they provide no specific roadmaps for IT departments on what technologies to employ, what processes to deploy and how to manage the entire shift.
From an IT security point of view, South Africa is not heavily mandated. There are some local regulations such as Basel II and for some there are the international regulations that they must comply with.
But regulations need not be a vague collection of pain points for IT departments to worry about. With executives aware of the ramifications for failing to comply with legislation, new and emerging regulations are also a perfect way for IT departments to come out and get the budget they always wanted.
IT departments need not spend any of that welcome budget on discovering how to meet vague security requirements. IT vendors have already done a great deal of the groundwork. Customers can tap into the vendors' efforts through white papers, technical experts and the vendors' internal systems: they must also comply with regulations.
Ulrich Weigel, EMEA director of Security Management Practice at Attachmate
The most common problem that customers face is reporting their IT security compliance to executives. There are consultants who will do it for them, but since companies will be required to report compliance every year it is a far better idea to automate the process as much as possible. For most companies it will save a great deal of time and expense.
Reporting is a key ingredient to automation's success. Different executives have different mandates and the technical and executive roles seldom mix well. One solution is Web-based reporting, categorised by role.
Appropriate access will allow people to interrogate it and quickly get to the information that matters to them. Above all, the system must divulge answers to questions that business users will pose. A colour-coded bar works well for a broad overview. But clicking on it should allow the executive to interrogate the criteria from which that bar is derived. Consider too that auditors will need to investigate the reports and if they find it difficult, it will negatively impact the company's rating.
Policies the next challenge
The next challenge for organisations embarking on a compliance reporting project is policies. They must govern everything that employees do and link into governance, legal and HR mandates. The key to success is good management and regular updates. While some organisations will write their own policies, most will contract consultants because, while it may not at first glance appear so, it requires specialist knowledge and skills.
Managing policies can be tricky. One component is ensuring that people read them, understand them and act on them. Since IT security policies are not integral to most employees' jobs, and since many employees are pressed for time, policy documents regularly achieve a low status on priority lists. They are seldom even read, let alone acted on.
People cannot be patched. Anyone who wants to make responsible employees and managers part of the security system must win them over and equip them with knowledge. Every employee with access to company data is effectively part of the IT supply chain and must implement the predetermined security policies. Even the team assistant is affected by security policies; anyone sending e-mails should be able to recognise phishing. The only way to deal with external threats in a sustained manner is to shift security know-how from the IT department's security ivory tower into the heads and consciousness of all employees.
Getting people to read the security policies is easy. Making them sign off that they have read and understood them and then take a quiz on the documents will ensure it. A Web-based tool can be used for ongoing training. That ensures that people do not forget about security; that it remains top of mind.
From the ivory tower to the trenches
Regulations may at first appear to hinder IT security, since they place an overhead on the entire company, not just the IT department; but the regulations came about because there was a need to secure the corporate world. If the regulations take security from the IT department's ivory tower and place it into every single office and cubicle, then regulations are not a hindrance. Any organisation that makes security everyone's problem will reduce its exposure to risk.
For more information contact Riaan Otto, 10Net ICT Solutions, +27 (0)11 783 7335, email@example.com