Some objectives set by auditors can double as practical security investments for the enterprise to substantially reduce risks posed by insider threats, improve operational efficiency and implement security best practices.
Opportunities to cost-effectively scale a handful of sensible compliance requirements to the rest of the organization are often overlooked. Today's challenge is to filter through requirements to identify the activities that scale efficiently and provide impactful risk management with low operational overhead.
Three common examples of compliance requirements that can cost-effectively provide security benefits to the organization are monitoring high-risk users, implementing data classification strategies, and a proper segregation of duties.
Industry and federal regulations require close monitoring and auditing of contractors, IT administrators and other high-risk users. Also, compliance regimes require that organizations place data into categories of importance that dictate the level of internal controls needed to protect that data against theft, compromise, misuse and destruction.
Most regulations require segregation of duties to isolate those who create and maintain application software from those who manage the software and data within the application. Super-users are often underestimated. They have the access and know-how to cause significant damage to the organization. Segregation of duties is a must for compliance and for the enterprise.
Implementing best practices will enable you to negotiate with auditors from a position of strength and assure them you have robust security practices in place. By efficiently leveraging compliance investments for general security and reducing the demands set by auditors, organizations can save money on the increasingly shrinking IT pocketbook.
This article was co-authored by Frank Marino, senior manager, Frank, Rimerman + Co. LLP.