Compliance and Security

Positioning paper IT Security and Compliance V3 – Marcel de Haan 2020

Download

IT Compliance and IT Security are not always approached as different challenges within companies.

In case of a major issue, being a regulator report or a security incident, the standard response is: “Get this resolved as soon as possible”. Insiders know security is not a short term challenge but a long term process of embedding controls in first line management activities, and although from a content perspective Compliance and Security deal with the same subject, they have different motives, usually issues have a different impact and with different stakeholders.

This paper will provide a pragmatic approach to manage Compliance and Security issues, explaining how organisations can be helped within in the short term, however, ensuring a foundation to gain maturity for the long run. It addresses how to embed change management into the security strategy. This approach will satisfy multiple stakeholders at once; including regulators and supervising bodies.

Although this might sound as an open door this paper distils the following approach with some detailing that causes significant output. Plan for an assessment and find out your specific challenges. Depending on the results consider the following:

1. The short term plan should be risk based and focussed on the quick fixes and expect these to be temporary, in spite of the attempt to achieve sustainability.
2. Manage the short actions related to compliance and to security separately.
3. Ensure the foundation for the long term objectives within the short term plan:
   1. Governance:
      • Ensure strong anchoring of board support. Not only a tap on the shoulder and good luck wishes. SMART commitment for both long-short term plan of actions.
      • Ensure the security organisation is defined and start the hiring process with people that fully own their profession
      • Ensure an up to date Information Security Policy is in place. Supported by management and involvement of the supervising bodies or even regulators. Taking them along the innovative journey delivers goodwill during the execution.
   2. Planning:
      • Ensure key security measures (Identity and Access Management (IAM), Infrastructure security and monitoring, Security Incident Management) are part of the IT planning and budgets should be in place.
      • Ensure Security by Design is part of the IT planning and real time security,  control and administration tooling.
   3. Reporting and follow up:
      • Ensure the Information Security Dashboard is put in place, which can be improved and optimized over time with real time feeds. This is a key instrument for managing effectiveness, being in control of Digital Security and continuous improvement.