Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Five key elements to complete IT compliance

Gavin Selkirk, President, BMC Asia Pacific | March 30, 2015
Security breaches could, more often than not, be a result of IT non-compliance. Here's how to fix it.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Start up brand Uber recently acknowledged that it suffered a security breach, which resulted in the disclosure of the names and drivers' licence numbers of about 50,000 drivers. Closer to home, several Hong Kong government websites were hacked by 'hactivists' Anonymous, in a show of support for the Occupy Central movement.

These security breaches were definitely not by chance and could more often than not, be a result of IT non-compliance. The Economist Intelligence Unit recently published a report, 'Sharing the blame: How companies are collaborating on data security breaches', which showed that breaches are occuring at a high rate in Asia. Aligned with the title of the report, only 35 percent of Asian companies surveyed were confident that they did not experience a data breach in the past year.

The needs of the business have often overruled the requirements of compliance, with enterprises purchasing any and every solution they believe will help increase company productivity, efficiency and communication. This has resulted in several companies having disparate IT systems and compliance standards being placed on a backburner. The entry of cloud computing and social media, and a rising trend of employee-owned devices make it even more of a challenge for IT managers to ensure complete compliance across the workplace for regulatory requirements and practices.

Security and operations teams both play crucial roles in the area of compliance. It is the job of the security team to spot issues, however they rely on operations to make changes. The operations team may not be as proactive in making changes as they do not recognise fully the security threat, and would rather take a 'wait and see' mentality so as not to alarm employees with dynamic changes. This means that the time between security issue identification and resolution can be a period of weeks or even months.

In view of recent high-profile security breaches and compliance failures, organisations need to find a way to plug the gap between security and operations (SecOps). How can organisations modernise their approach to compliance and close the SecOps gap with a strategy designed for today's complex, dynamic IT environments?

Discover
Regular automated discovery ensures that compliance efforts cover all relevant applications and infrastructure. Some approaches to discovery focus on the"core" system, but the reality is that non-core systems can sometimes be a bridgehead in the network for attackers. This is even more true for unofficial systems, which may not be properly patched, beefed up, and updated. Whether a system is managed by security teams or not, it is security teams who will be held responsible for any breach they allow. To ensure that the entire environment can be brought in compliance, a comprehensive discovery capture needs to include both unofficial and unmanaged systems as well as any temporary modifications, virtualised assets and other relevant dependencies.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.