CHANNELS
infoTECH Feature
December 09, 2009
Ensuring Security and Compliance throughout an Organization
By TMCnet Special GuestChristopher Burgher, Associate Principal Information Security Practice, Center of Excellence, Consulting Services at SunGard Availability Services
In today’s corporate environment, CIOs and security managers need to protect information assets such as intellectual property and personally identifiable information.
Key business drivers for data protection include regulatory compliance, competition in the market, legal and recovery costs associated with breaches, and brand risk. So how do risk managers address these issues?
There are several actions that can be taken in parallel and it should be noted that ensuring security and compliance is an ongoing process, not a single action. As an organization improves its security and compliance posture, processes can be institutionalized and improved over time.
An initial activity should include discovering what, if any, regulations the organization must comply with. Data protection regulations generally address a specific data type such as PCI (News - Alert) for credit card data, HIPAA for health information, GLBA and SOX for financial data, and so on. Public companies typically hold more responsibilities, but all companies must comply with some regulations, including state breach laws around personal information.
Another activity useful for protecting data is called data classification, where an organization discovers what data resides where in the corporate environment, who uses it, who “owns” it, and how it is stored, processed and transmitted.
Once the data classification and regulatory assessments are complete, a corporate policy can be developed. This information security policy is a high level document describing the organization’s governance of data, including executive sponsorship. This policy is then communicated to the employees and training is conducted to educate everyone on how to comply with the policy.
The ISO 27002 standard is an internationally recognized standard that provides guidance on how organizations can protect IT assets. This standard is often considered a benchmark that can enable an organization to meet many, if not all, security and compliance goals. Other useful standards include ITIL, COBIT, and NIST. These standards, along with detailed procedures, can enhance an organization’s high level security and compliance policy.
The organization can now begin to implement controls according to policy to protect data. Controls include technical, administrative and physical means, and these can certainly take time to design and deploy. Regular assessments of the security program by internal audit and external consultants complement IT security efforts to secure corporate IT assets.
To ensure ongoing diligence, an IT security manager, chief security officer, chief risk officer or an IT security steering committee should be established to bear responsibility for the overall program. This function is best organized outside of IT to provide better segregation of duties and governance.
With a well-designed and well-documented set of processes and controls, an organization can ensure IT security and compliance throughout the enterprise. The most important, first step is to remember that security and compliance is an ongoing process, and not simply a bullet to mark on a checklist.
About Christopher Burgher
With 20 years of experience gleaned from a number of information security leadership positions, Christopher Burgher (pictured left), associate principal information security practice, center of excellence, consulting services at SunGard Availability Services, is an expert in helping organizations achieve enterprise-wide security and compliance.
Leading a team of 20 individuals, Burgher assists in directing SunGard’s information security consulting practice. He is responsible for supporting the sales team by providing ongoing informational training, while working to continuously refine and enhance SunGard’s practice development. Burgher also holds staffing responsibilities, ensuring the best and most qualified consultants deliver SunGard’s solutions and services.
Burgher joined SunGard Availability Services in 2004, serving as an engagement manager responsible for professional consulting services. Before joining SunGard, Burgher launched his own business, Workstation Integrators, and also worked in the information security practices at PricewaterhouseCoopers (News - Alert) and Arthur Andersen. Burgher’s expertise in information security and compliance requirements touches a wide variety of verticals including healthcare, financial services and government markets.
Burgher holds a Bachelor of Science in computer science from Drexel University and has been a frequent speaker at product development tradeshows and conferences. Burgher has also been quoted in security information articles in various IT trade publications. Burgher holds the CISSP, CISA, and QSA certifications.
TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.
Edited by Michael Dinan
|
|
FOLLOW US |  |
 |
 |
infoTECH Headlines
cdmon Supports Online Businesses with Hosting, Domains and Digital Infrastructure Services
Why Hiring a Commercial Electrician in Keller Matters for Business Safety, Efficiency, and Growth
Are You Giving Your Agentic AI Too Much Access? Is it Impacting Compliance?
The Future of AI: Autonomous Training Models That Learn Continuously
How to Migrate from One Microsoft 365 Account to Another?
Simulating Your Worst-Case Scenario and Keeping Tabs on New Threats Using AI Systems
From Reactive to Proactive: Using AI to Hunt BEC in Real Time
Strengthening Tampa Businesses with Expert Cybersecurity Solutions
How Knowledge Management Software is Transforming Modern IT Operations
2025 Online Casino Trends: What to Expect in the Next 12 Months
infoTECH Whitepapers
