A growing number of industry and governmental regulations, many of which contain security requirements, have come to be part of everyday work life.
In most cases, the regulations require responsibility from management to establish and maintain a sufficient and reliable internal control and audit structure used for financial and regulatory reporting. Organizations must be able to provide an assessment of the effectiveness of the internal control structure and procedures to meet these requirements.
From a network security perspective a company needs to secure its IT environment by assessing, prioritising, and securing their systems from vulnerabilities in a repeatable, controlled manner.
Below is a list of common regulations:
Sarbanes-Oxley Act of 2002 impacts all US publicly traded firms, with regards to accurately reporting financial metrics, and establishing the appropriate safeguards to ensure safety and accuracy of the data.
ISO 17799 version 2 / BS7799 of 2000 requires processes to ensure that the security controls for a system are fully commensurate with its risks. This embraces the study of relevant threats, vulnerabilities, controls in place, and of course potential impacts.
Gramm-Leach-Bliley Act (GLBA) of 1999 includes provisions to protect consumers' personal financial information held by financial institutions.
Basel II International Convergence of Capital Measurement and Capital Standards of 2004 impact the international banking industry.
Cardholder Information Security Program (CISP) of 2000 is required of all entities that store, process, or transmit Visa cardholder data.
Data Protection Act of 1998, which governs the processing of personal data in the United Kingdom.
MEInfoSec has through our services developed an approach to address the challenges of compliance. This Information Security work-flow enables you to align MEInfoSec's approach to network security with the real business risks facing your organisation.
We assist companies in their vulnerability management process, including vulnerability assessment and security configuration baseline. Mitigation activities are prioritised based on the severity of the vulnerability, the current threat environment, and the business use of the vulnerable asset. MEInfoSec assist companies in protecting and shielding vulnerable assets until a permanent solution is completed as well as identify the root cause for the vulnerability, enabling the company to eliminate the threat through changes in the network, server, and pc configuration policies.
The open and interconnected networks of organisations today allow the companies to work more effectively by easily sharing data with customers, suppliers, and business partners.
However, the same networks pose a serious threat to organisations if not properly secured. Information security threats of today are more sophisticated, frequent, and dangerous than ever before and can result in damage to the IT infrastructure around the globe in a matter of hours from a number of different points on the network.
IT Security Risk Management requires better coordination and a holistic approach to handle an increasingly difficult task. It requires organisations to capture information seamlessly and act on vulnerabilities in a quantified and qualified way. IT security solutions such as firewalls, anti-virus software, and intrusion detection systems are necessary layers of security, but are incapable of proactively detecting and preventing network vulnerabilities.
Organisations must adopt a multi-layered approach to network security to create protection redundancies such that if a threat passes through one level, it is stopped at the next. Better yet, organisations must adopt an approach that proactively addresses the underlying security threat before it becomes a risk .
A critical component to maintaining business continuity is preventing security threats from compromising critical systems. As new vulnerabilities are discovered and patches are released, organisations are challenged on how to prioritise these updates.
The window of time to remediate new vulnerabilities has shrunk to just hours, compared to months in the past. With this shrinking window, network security policies must include a component to provide immediate action to protect from new vulnerabilities as they are announced.
