When Sarbanes-Oxley was introduced back in 2002 everyone scrambled to get their business and IT infrastructure compliant. Today, the trouble isn't with getting your policy model compliant, it is with maintaining that
compliance that you initially set up.
IT is a field that is constantly changing and thus your IT policy and structure in your business will change and expand constantly. Putting the documentation and set of controls to ensure improvement is the first step to
ensuring that your compliance efforts are not too rigid. In order for businesses to stay competitive, they must have the ability to be flexible. If your set of controls is too rigid, then you will hinder your company's flexibility.
Having a set of documents that states processes and controls will make it easier to maintain and follow order when introducing new policies and models for your IT infrastructure.
One way to ensure compliance is to monitor legislation and stay on top of new regulations that are set in place so that you can make adjustments to your internal policy. Document these new regulations and then make
adjustments accordingly. Organized documentation is one of the more difficult but crucial keys to maintaining compliance.
Change control policies must also be set into place and documented. Having a change control structure in place will ensure a sort of checks and balances in your business and IT department. Having change control policies
documented will also ensure that you will have the right documents to show in the event you are audited.
Risk management is something that many IT managers deal with on a day to day basis. Taking into account risk levels with new regulations and new technology will help you decide the best course of action. As always, the
documentation of this will help you get a better grasp of the scope of the project or policy.
Sometimes maintaining compliance is more about policy management and documentation that it is about actual network security. But both of them go hand in hand. The technical geek inside of us all wants to just focus strictly
on the actual security technology that underlies every compliance regulation. But the truth is that documentation and change control processes is what drives it all. Without the policies in place to maintain compliance, security
goes out the door.
No comments:
Post a Comment