Got the latest in high tech security. Check.
Everyone scan their fingerprints. Check.
System up and running. Check.
But a simple trash can is undermining all of these efforts and despite all of the best intentions, all of this security was simply brushed aside and your business is no more secure than it was before you implemented the system.
The same thing happens with technology in an organization. There is every intention of developing sound IT policies and procedures and even employ the best technology to help get there. But a proper data or system governance is not about checking boxes. It’s about providing comprehensive end to end solutions that take into consideration the design, the business requirements, industry best practices, policies, procedures, reporting, auditing and control.
All too often companies enter the realm of IT Security because their hand is forced by an audit or regulatory requirement. The problem arises when they are just trying to satisfy a basic need, but are not looking at how security is managed holistically.
- What problems occur when controls are bypassed?
- Why are these controls bypassed?
- How do we get alerted when things are not being done by design?
- What is the course of action the security controls are bypassed?
This is precisely the area that most companies do not have a plan for. The reality is that it is human nature to help others and sometimes that involves bending the rules. Maybe it is to get some help in return or just that they want to impress a colleague that they have the ability to circumvent these pesky controls.
So how should companies deal with this? How can you prevent or react to these kinds of breaches? The best approach is to make sure that the design involves all parts of the business and addresses the possibility that someone might circumvent the control. This is not to say that you need to slow your project to a crawl and get business signoff on every aspect of the system, but make sure that you have thought not just about IT and their needs. The business, after all, it what is most important.
You must assume that someone isn’t going to follow polices or procedures. It is going to happen. When this occurs, how will you know? What reporting and alerting is in place? This is an often overlooked aspect of implementing controls. Everyone is focused on creating the right policies but how can these policies be monitored? There is a wealth of great solutions that can report on all kinds of activity and data but not all solutions speak in terms that are useful to the company. What you don’t want is a report that just provides raw data or out of the box reports. These are precisely why these lapses occur because there isn’t good reporting.
OK, you’ve got great reports. Now what? Your data or systems governance solution needs to prepare for the inevitable lapse in controls whether it be intentional or accidental. This is as important as the control itself. Who gets the reports? What steps need to be followed once the report highlights an issue? Whose responsibility is it to ensure the breach is closed? Once these questions are answered, you are on the right path to a proper governance solution.
Don’t be the trash can in the door fouling up your IT Security.