Companies have an intrinsic need to protect their data, their resources, their assets and ongoing operations with the help of information technology (IT) and non-IT controls. In some cases, the law requires that companies protect their data and failure to do so is a legal offense which can result in significant legal repercussions. Some of these regulations are SB1386, Sarbanes-Oxley (SOX), Health Insurance and Portability Accountability Act (HIPAA), Gramm-Leach-Bliley (GLBA), North American Electric Reliability Corporation (NERC), Federal Information Security Management Act (FISMA) Implementation Project and many more.
What Can Organizations Do?
IT security is concerned with the management of all aspects of IT operations in order to comply with internal company policies, management directives and regulatory requirements. Preventive, detective and corrective controls are subsets of IT governance frameworks and standards. Instead of implementing them piecemeal, which would make the administration and enforcement of these controls extremely difficult, an integrated approach using established industry standards is recommended.
Multiple IT frameworks and standards exist that help enterprises manage the different aspects of their operations with the core focal points being: information security, IT service delivery, IT operations and risk management across all these segments. The most popular IT frameworks are COBIT and ISO 27001.
The scope of implementation should be determined using a “top-down approach” as advocated by Public Company Accounting Oversight Board (PCAOB) in Auditing Standard No. 5. Although this approach is from an audit perspective, it would help allocate resources and funds according to the areas that are high risk.
The cloud involves a virtualized environment where previously companies relied on multiple ‘physical boxes’ for their different systems. The emergence of cloud computing with its scalability and practicality ensures that security controls need to be designed around this solution. In addition, companies that have adopted cloud computing have already taken the first step to outsource their infrastructure. In such a business environment, it becomes imperative to continuously monitor the security status of their environment. (See also, 8 Questions You Need To Answer When Selling a Cloud Solution)
Outsourcing Information Security
This refers to the practice of separating the IT governance portion of a company’s business to a third party information security service provider. The benefits of this approach are:
• Leveraging the third parties economies of scale to get comprehensive IT coverage without having to expend huge amounts of capital.
• A move from an internal capital expense to an operational expense.
• No expensive assets need to be procured, implemented or maintained.
• No expensive resources need to be retained to manage and optimize security operations.
• Allows companies to focus on core competencies.
Continuous Security Monitoring
Security monitoring is a component of information security compliance that is common across all industry sectors and regulatory requirements. This type of monitoring involves gathering audit logs, normalizing them, analyzing them, defining thresholds, measuring security events against those thresholds and reporting against the identified security incidents to the relevant stakeholders. (For more on mobile security, see, Mobile Device Security: Inside Mobile Malware Threats)
In order to perform this function in-house, an organization would need a team of resources, hardware and software tools that would perform this task on an ongoing basis – a significant capital expense for even large enterprises let alone small to mid-size enterprises.
Another approach is to engage a managed security service provider (MSSP). That approach lets organizations further their investments, as MSSPs have the necessary certifications that set them apart from the competition. Similarly certified security operating centers are significantly more expensive when set-up in an isolated environment whereas MSSPs can leverage economies of scale.
• ISO 27001:2005, ISO 9001:2008, ISO 20000, ISO 14001 Certified Data Centers.
• More resources available for 24x7x365 day coverage including national and international holidays. • Large enterprises with globally distributed offices may find this option more attractive as they already may have regional presence and experience. • Smaller-mid size enterprises however need this option more than their larger counterparts considering that they need low overheads in order to grow.
• This is an ideal solution for organizations that want a cost effective but reliable and scalable solution.
There are multiple solutions to prevent security incidents. The operations staff needs to develop business cases to convince their management of the best framework that suits their environment. The project implementation plan must factor in any plans of outsourcing while considering that information security is an ongoing operational process and cannot be treated as a one-off project.
- Protecting The Business From Cloud Application Security Risks
- The Massive SaaS Opportunities For VARs
- A Reseller's Guide: Recipe For Channel Partnership Success
- Cloud Connection: Seven Steps To Effective Public Cloud Services
- From CapEx To OpEx: Channel Strategy In The Federal Push To The Cloud
- A Reseller's Guide: Coming Out On Top In The Face Of Channel Conflict
- How To Create A Case For Disaster Recovery Plan
- How To Offset Your Customers' BYOD Risks
- How To Ease Client Anxiety About Private Cloud Deployments
- How An SMB Cloud Provider Can Create 'Swagger' In A Competitive Market
- A Reseller's Guide: Creating A Successful Solution Provider Event
- How to Prepare for the Future of the IT Solutions Industry
- How to Consolidate Data Protection Services for Greater Customer Value
- 10 Attributes to Support Revenue Marketing and Sales Success.
- How To Improve Efficiency: Upgrade Mountain Lion and iOS6
- How To Cash In On the Cloud Through Collaboration
- How To Sell Cloud Storage In Five Steps
- How To Protect High-Value Data Assets
- Moving Data to the Cloud: Options for SMBs and Small Enterprises
- How To Apply Big Data Security Analytics to Detect Advanced Threats and Breaches