In an increasingly regulated world, all companies today have to take a long hard look at the way information resides within their organisations, who has access to it, and more importantly, whether it leaves them open to operational and security risks.
These concerns are underpinned by, among others, the King III report on good corporate governance, which focuses in detail on IT governance in the context of risk management.
The report states that confidentiality, integrity and availability of business networks are essential components of good governance, and also states the need to safeguard the authorised use, access, disclosure and changes to the information residing in information systems.
Says John Mc Loughlin, MD of J2 Software: “Business today is all about taking risks, being bolder than your competitors and to tread new paths that lead to greater financial gains. However, these variables are underpinned by the principles of information security, because with greater success, companies also often become the targets of malicious attacks from within and outside their organisations.”
He says IT executives within organisations need to take the responsibility square on to reduce the overall risks to business.
“This requires a thorough understanding of risk at any point in time, and this can be challenging because you cannot manage what you cannot see. You can only know where your risk areas are if you know where your business information is and how information is accessed, used and moved in and out of the business.
“Before companies can properly assess their internal and external risks, they must know where the business critical data resides, who is accessing it, how it is used and which users are moving, printing, copying or deleting it,” he adds.
Mc Loughlin says to address this, the business must put proper risk management strategies in place, such as security policies and controls on how information is managed throughout its life cycle – how it is captured, processed, used, stored and discarded. It is then vital that these policies are proactively and automatically monitored and enforced.
“When you select the solution for your organisation it is critical that you choose a product that will give you the ability to track, monitor and control user activity on and off the network. You will need to ensure that the solution is easy to use and provides automated enforcement and simple to run reports which can be sent to any person in the business.
“Once you have the solution installed, it is then vital that the process is managed. This is not is not merely a case of ticking check boxes, but using accurate information about what is really going on to ensure that you stay abreast of risks by tracking changing behaviour.
“These processes must then be refined, not through check-box compliance, but through actionable risk management programs, such as risk analysis, security information event management and vulnerability scanning that address IT security as a business risk.
“Companies today have to recognise that they must have adequate visibility into their organisations to assess risk, vulnerabilities, compliance and security. With the right tools, organisations can save a massive amount of time and money while reducing risk.
“More importantly, increased visibility into an organisation can provide early detection of possible catastrophic damage and supply actionable information and preventative controls to protect an organisation’s most important asset, information. Information security is the driver of good governance, and the ability to report on organisational risks and to manage these transparently is key to this,” he concludes.