Think you've got IT governance? Probably not. And empty promises on paper or fancy technologies that aren't managed the right way aren't going to cut it. However, again and again that's what I see when it comes to managing information risks.
With documentation, I see everything from stale policies addressing 5 1/4-inch floppies and Word macro viruses to incident response plans focusing on what to do when the network is attacked via dial-up modem. I even see outdated references to auditor checklists with eight or 10 questions concerned mostly with passwords being at least six characters long and containing both letters and numbers.
Likewise, when it comes to security controls, I see and hear everything from audit logging that tracks every event under the sun without a single person monitoring what's going on to "Yep, we have a firewall and antivirus software -- that's all we need, right?" Or, how about this one: "We trust our employees -- we gave them a copy of our policy document when they started working here and they know to be on the lookout." There's even my favorite: "We perform ongoing security testing. Here's a copy of our report from three years ago." Even with all the known hacks, social engineering breaches and clear and concise compliance requirements, this mode of operation is still what's driving the information security function within a lot of organizations.
Let me get to the root of the problem: It's the higher-ups on mahogany row. You know what I mean … your boss and his colleagues who can't be bothered with the burdens associated with information security. By and large, management is disconnected from information security and IT governance in general. In fact (see if you recognize this), if something bad ever happened -- be it a lost laptop, a social engineering attack, a widespread malware outbreak or whatever -- and systems were down and information was lost, those higher ups really wouldn't have any good answers for the auditors, regulators, investigators, business partners or shareholders.
Many managers hold the belief that they need to focus on what makes money and let someone else -- like you, the network administrator -- manage all that annoying hacker, virus and compliance stuff. It's a lot easier for them to bury their heads in the sand and pretend that none of it affects their business and their bottom line.
The problem doesn't stop there. It's up to you to make some of it happen. This requires having goals, documenting how you're going to meet those goals and prioritizing how you're going to get there. I know this is easier said than done, especially when you've got major projects to manage and users breathing down your neck who need something new each day.
A good place to start is to get management to buy in to the goals that you've set.
In terms of IT governance and managing information risks, unless you have sustainable, repeatable and automated (where possible) processes combined with reasonable policies that are enforced by technical and human-based controls, there's still some work to do. Don't worry -- all of this compliance and governance stuff is still in its infancy and will always be a work in progress. Do your organization and your career a favor and educate yourself on the fundamentals, which are:
- Understand that threats + vulnerabilities = risk
- Focus on your highest payoff tasks
- Never forget that reasonable policies that are enforced and kept up to date are a required ingredient
- Spend as much on sweat equity as you do on technology and services
- Know you'll always have leftover risks (just acknowledge them, document why you're not addressing them and move on, and
- Remember, it's all about gaining and maintaining control
If you can fine-tune your efforts in these areas and pay attention to what's best for the business, in a relatively short period of time you'll be able to build out an IT governance program you never thought would be possible. Unlike most things political, this is the kind of governance that's good for everyone.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheelsaudiobook series. You can reach Kevin at email@example.com.