Keeping security tight to protect stakeholders

Security used to be something you did for your own sake. But with stricter privacy regulations, user awareness, and corporate responsibility to the local and international community, other stakeholders are making demands on your security posture. 

Also, if you are caught out of compliance, you risk getting heavily fined. And that’s a motivator to most organizations.

Things to consider

Identify what to comply with, and your risk

To comply with standards and regulations, you have to know which ones apply to you. Identify the standards and requirements that apply to your business and sector – national, international, by industry: NIST, CIS, SOX, HIPAA, PCI-DSS, NERC, GDPR, etc.

The regulations are there to provide you with guidelines for best practice based on what business you are in, and where in the world you operate.  

Failure to comply can not only result in heavy fines, but also in making you vulnerable to data breaches. So, while they may be a bit of a pain, they are also there for your own good…

Based on the standards you need to comply with, perform a risk analysis to identify business critical requirements, and assess your current state of compliance. 

IT needs help from the business to comply

Because IT permeates all aspects of business, the standards that apply to the different business functions must often be catered to by IT. 

But figuring out which regulations apply to you, and interpreting what policies and controls are required to reach compliance, is not simple. In most organizations, identifying what to comply with, and applying that knowledge to the every-day workings of your infrastructure is complex and open to interpretation. 

Consultations between IT, the specific business function and your internal or external legal team is advisable.

Your C-level will also want to reach out to advisors at corporate level – e.g. business interest groups – about requirements and industry specific best practices and recommendations.

Configuration, analysis and visualization

Three disciplines that are usually relevant when it comes to compliance, regardless of industry and markets, are: Data storage policies; identity and access privileges; and patch levels.

CTGlobal uses these methods for compliance projects:

  • Mapping – identifying actual vs desired state.
  • Visualization – ongoing tracking and display of status and progress.
  • Analysis – determining requirements for achieving desired state.
  • Design – planning and/or implementing the required processes and technologies.
  • Reporting – continuous monitoring of status, progress and cost.
  • Documentation – proof of compliance for audit purposes.

We work from our own NIST-CSF-based framework, and base our compliance solutions on Microsoft technologies.

Read about our Microsoft Security First strategy here

Contact us for a project proposal and pricing

Our local business development managers will work with you to scope your requirements, and draft a customized proposal.