Regulations provide structure

NETWORK MONITORING

November 2006
Communications News

Laws like Sarbanes-Oxley help organizations evaluate and understand their data assets.

by Marv Goldschmitt

Almost all of a company’s most critical assets are now electronic. Even companies that saw physical inventory and manufacturing equipment as core critical assets now realize that the computer models that drive the systems are more valuable. By the same token, information about a consumer’s buying patterns is often more valuable than the purchase itself. So, the definition of critical assets has changed, and along with it the way the world defines your company’s value, risks and responsibilities.

Regulations like Sarbanes-Oxley are simply society’s recognition that the value has shifted from hard to soft goods and that protecting information assets is the responsibility of the custodians of this new form of currency. This change is driving the definition of the controls that IT needs to put in place in order to meet the requirements of ever-expanding government and industry regulations. This change also defines what we need to do as IT professionals to meet the requirements of our organizations as the fiduciaries of the critical, and sometimes extremely sensitive, information assets that drive the success of our businesses.

The goals and the drivers are clear, but the path to accomplishing compliance is not. While this transition of value has come to general awareness quickly–as a result of corporate scandals (e.g., Enron) and incompetence (e.g., Cardsystems)–the problem will not go away overnight. The job of IT professionals is to step back, survey the landscape, develop a reasonable and phased plan, and then get started.

The first step is relatively simple: ensure that your organization is paying close attention to where electronic information assets are and what is happening to them. If you do not know what you have and where you have it, how can you protect and leverage it?

Surprisingly, most companies lack visibility into the existence and location of electronic assets. Ultimately, this knowledge is the foundation for the control you need to fulfill the requirements of almost all regulations, and your company’s internal data protection and governance priorities. In order to achieve real control, however, a new definition of control is necessary.

Control over electronic assets has been accomplished in the past through access and privileges. The new control, inspired by regulation, insider issues, and an increase in the scope and sophistication of information breaches is about behavior and insight into that behavior–seeing exactly what is going on with information assets.

Regulators demand that you have enough understanding about your information assets to know when information of interest is being accessed or changed. They expect you to know when something goes wrong and have the ability to do something about it. In that same vein, your business demands that you take the steps necessary to protect your intellectual property and your customer’s sensitive data against known threats, and create solutions flexible enough to deal with future threats.

This is where CobIT and ISO 17799 and 27001 come to play. These are models and frameworks for thinking about the problems of information protection and governance, along with guidelines for addressing them. Their prescience is that they were conceived at a time when most of us had not yet given the issue any thought. As a result, since the early 1990s, when the first versions were created, they have evolved in a way that makes them valuable to organizations looking to put a solid information protection and data governance program in place.

This evolution is about better control mechanisms and process. It addresses how we can take that first step toward protecting info, as well as where we should aspire to be.

In particular, the most recent versions of these documents are well-structured models that will help you state your challenges clearly, develop goals that are appropriate to the larger needs of your business, and build and execute plans to accomplish those goals in a measured and reasonable way. Additionally, corporate-sponsored organizations, such as the Data Governance Council formed by IBM, are helping to create even more practical best-practice processes to create a common set of standards.

All of these efforts, if successful, will help companies not only meet regulatory demands and optimize the value of their growing data assets, they will also build trust, resulting in enhanced critical relationships with customers, partners and society.

Marv Goldschmitt is with Tizor, Maynard, Mass.

For more information:
www.rsleads.com/611cn-265