In the last few years, Data Breaches, thefts, Cyber attacks, Key IT Systems unavailability etc. have become a regular part of the news. The worse thing is that news is pouring from many different industries, which suggest an under investment in IT Infrastructure and a systemic problem across various industries. SONY, RSA, Target, RBS, Natwest, JP Morgan, Nasdaq, Ashley Madison are some recent examples where Key IT Systems were down during the business hours or Customer Data was stolen.
The root cause of the problem may be evident by looking at some of the conventional approaches taken by many Firms in managing their IT Organisation. These approaches include:
No documented policies, standards or baselines defined for the IT systems. (Some claim there is no need for these documents as nothing can go wrong due the firewall at perimeter or the pen test performed last year)
Vaguely written policies, standards or baselines (sometimes intentionally)
Documented policies but no regular compliance monitoring to validate if staff are actually following the policies
Once in a while, a checklist based self assessment where on the basis of their understanding, IT Managers declare that everything is compliant (without even looking at the configuration of some of the devices)
Wait for the auditors to come and tell what to do
And finally, the most popular approach, “who will budget for the regular compliance monitoring? We don’t have budget and resources.”
Well, choice is very simple. Budget it in advance and make regular IT Compliance monitoring part of the Business as Usual (BaU) operations activities or be prepared for a mishap and wait for the cheque from regulators or disappointed clients filing law suites.
My intent is not to scare anyone, but fact remains that there is a material risk out there, which we cannot ignore anymore. Even regulators such as central banks across the world are now working on Cyber Resilience guidelines and requirements for the key financial institutions, Governments are publishing Cyber essential requirements for the suppliers that process or store data.
With the increasing scrutiny and expectations from regulators as well as clients, I hope firms will encourage their IT Organisations to document detailed policies, standards, baseline and start regular compliance monitoring of the IT Systems against these documents. However, a key challenge remains: We do not have sufficient skilled resources available in the market that can meet the industry requirement. Therefore a potential solution could be a mix of an automated solution such as an Automated Auditing Tool that regularly performs review of the IT Systems against a defined baseline and sends the report to a set of people including System Administrators, Information Security Officers, Technology Risk Managers, Compliance Officer, Internal Auditors etc. They can further analyse the data to filter out any false positives, identify immediate priorities or any thematic issues.
In the Forum section of this website (Automated Auditing Tools), you can find an example of such automated auditing tool GFI Languard, that can regularly scan your Enterprise Network for Servers, Desktops, Mobile Devices, tablets etc. and identify any missing patches, security vulnerabilities, unapproved software, out-dated third-party software, missing anti virus, firewall etc. and automatically email the report to a number of recipients. Additionally, you can use this tool to fix the issues from a central console at an Enterprise scale.
I hope with an adequate mix of good quality Information Security policies/standards/baseline, regular compliance monitoring by system administrators using Automated Auditing Tools and finally (and most importantly) regular analysis of the compliance monitoring reports and tracking of remedial activities by all three lines of defences, firms can achieve a more sustainable and reliable IT estate.