Managing information risks: Do you have IT governance?

With documentation, I see everything from stale policies addressing 5 1/4-inch floppies and Word macro viruses to incident response plans focusing on what to do when the network is attacked via dial-up modem. I even see outdated references to auditor checklists with eight or 10 questions concerned mostly with passwords being at least six characters long and containing both letters and numbers.

Likewise, when it comes to security controls, I see and hear everything from audit logging that tracks every event under the sun without a single person monitoring what's going on to "Yep, we have a firewall and antivirus software -- that's all we need, right?" Or, how about this one: "We trust our employees -- we gave them a copy of our policy document when they started working here and they know to be on the lookout." There's even my favorite: "We perform ongoing security testing. Here's a copy of our report from three years ago." Even with all the known hacks, social engineering breaches and clear and concise compliance requirements, this mode of operation is still what's driving the information security function within a lot of organizations.

Let me get to the root of the problem: It's the higher ups on mahogany row. You know what I mean … your boss and his colleagues who can't be bothered with the burdens associated with information security. By and large, management is disconnected from information security and IT governance in general. In fact (see if you recognize this), if something bad ever happened -- be it a lost laptop, a social engineering attack, a widespread malware outbreak or whatever -- and systems were down and information was lost, those higher ups really wouldn't have any good answers for the aud

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows operating system security How to use Group Policy to control wireless access Internet Explorer security settings and controls Password cracking and hardening Reduce your Web server's attack surface Plan for a security breach, step by step Cracking passwords: Eight tips in eight minutes Top Web security tips of 2006 Information security predictions for 2007 Security scan results: Take them with a grain of salt Free tools defend against malicious Web sites in the enterprise

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

itors, regulators, investigators, business partners or shareholders.

Many managers hold the belief that they need to focus on what makes money and let someone else -- like you, the network administrator -- manage all that annoying hacker, virus and compliance stuff. It's a lot easier for them to bury their heads in the sand and pretend that none of it affects their business and their bottom line.

The problem doesn't stop there. It's up to you to make some of it happen. This requires having goals, documenting how you're going to meet those goals and prioritizing how you're going to get there. I know this is easier said than done, especially when you've got major projects to manage and users breathing down your neck who need something new each day.

A good place to start is to get management to buy in to the goals that you've set.

In terms of IT governance and managing information risks, unless you have sustainable, repeatable and automated (where possible) processes combined with reasonable policies that are enforced by technical and human-based controls, there's still some work to do. Don't worry -- all of this compliance and governance stuff is still in its infancy and will always be a work in progress. Do your organization and your career a favor and educate yourself on the fundamentals, which are:

If you can fine-tune your efforts in these areas and pay attention to what's best for the business, in a relatively short period of time you'll be able to build out an IT governance program you never thought would be possible. Unlike most things political, this is the kind of governance that's good for everyone.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. You can reach Kevin at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.