*Disclaimer: This article originally appeared on IDG Connect.
Over the past few years, Governance, Risk, and Compliance (GRC) have become three of the hottest topics in Information Technology circles. The growing demand for compliance with federal and state laws, as well as industry best practices, has necessitated a closer look at IT governance, as well as solutions that help to ensure an organization has invested their time and efforts wisely, through management and implementation of such technologies as access control, data protection, and identity provisioning and management. Proper design, application, and usage of these key technologies (and others) help to control necessary risk management activities and ease the efforts that are required to remediate or address areas where compliance is lacking.
While GRC is really a never-ending cycle, contrasting and comparing governance and compliance can be thought of in the same manner as proactive or reactive security measures. Some aspects of each might be considered proactive, reactive, or both, but the nature of the beast is that governance (the establishing of policies and rules for managing IT / data) is a proactive measure. The goal is to prevent security lapses and vulnerabilities before they occur.
Conversely, compliance (taking steps to adhere to the laws, regulations and rules) is more the opposite, whether it be the process of implementing new hardware or services, modifying policies to meet new guidelines, or training users to better the overall security awareness within the company in order to react to changes or updates in the rules and the organizational security landscape. Organizations always hope that compliance activity comes before security breaches, but that’s not always the case, as evidenced by the slew of high-profile healthcare industry breaches that have occurred over the past year.
When it comes to governance, many CISO's begin with policy and procedures as their first action items. Undoubtedly, corporate security policies are “must have” pieces of any organizational security posture, and after all, most C-level executives pride themselves on their ability to communicate and convey important topics to an audience. As such, they feel policy is a great fit for them to introduce and remind employees about the importance of security.
The policies might contain, for instance, rules about data storage / sharing, password complexity, access control permissions (who may access data, where they may access it from, and who manages the controls and data storage beyond them), and other items to which the consistent application or adherence is required to ensure that the IT infrastructure is kept secure.
But, what happens when the corporation loses focus on its policies or those policies get lost in the shuffle of 'more important' business? Ultimately, the security mindset begins to slip, the basic tenets of security are lost in the shuffle, and breaches may occur. While the processes and rules are in place, they lack enforcement and issues arise.
Studies have shown that IT security staff often get caught up in technology investments and focus less on the policies and procedures that have been implemented to help mitigate or prevent security issues from occurring within the organization. While tools like Security Incident and Event Monitoring (SIEM), Antivirus / Anti-malware, Intrusion Detection / Prevention (IDS / IPS) solutions, and Firewalls are useful preventative measures and sources of information for security analysis (and are definitely worthy additions to a security team’s arsenal), ultimately, the majority of these tools don’t directly affect the lowest and typically most easily-defeated levels of security within an organization — its end-users.
At the core of what an end-user experiences, with regards to security, are those pesky security policies that typically exist in employee handbooks or are posted on company intranet pages. The average employee might read these policies when they are first introduced, such as when the employee is a new hire or when a new policy is first introduced, then sign off on a page that acknowledges that the employee has received them.
However, more often than not, that initial or subsequent yearly acknowledgement is simply an employee checking a box without having read the entire document. Short of subjecting employees to attend annual security awareness trainings, there is simply no way to know that the average employee has read or truly understands the corporate IT security policy, or if they have read it, that they’ll follow it.
So, what good is a corporate IT Security Policy, if it only exists in an employee handbook?
Quite simply, a policy by itself is little more than words written on the paper (or screen) on which it’s displayed. If users can’t or don’t follow said policy, it’s a pointless endeavor. Herein lies the need for solutions that proactively implement governance wherever possible in order to lessen the need for reactive compliance-related activity after-the-fact. The more in-line that activities, such as provisioning and identity management can be kept with defined policies and procedures, the less effort will be required to maintain compliance.
With regards to aiding governance efforts, a proper solution will implement highly configurable access controls, strong password policy adherence, secure and consistent provisioning, and identity / data security and encryption. Additionally, should policies change or require review, the solution should incorporate configurable auditing and reporting capabilities, as well as the ability to easily reconfigure or adapt existing controls and policies to align with the current state of an organizational security posture to ease any necessary compliance efforts.