IMHO, Compliance is Compliance and Security is Security, and they seldom meet. Being compliant might give you some protection you need - and some you don't need as well - but to achieve the security level optimal for you, you must do your entire homework.
"I follow law, agreements and policies" is a poor excuse for not doing the right things.
Policies are decisions made beforehand, assuming a specific reality, both in-house and in the surroundings. Think budget, as an analogy: Budgets are predictions, built on plans and assumptions about the future economic outcome. If reality turns other ways than predicted, even if you follow your plans your results will not be as budgeted.
And as reality changes, following policies will give other results than expected, too - unless you are Aware of the changes and Able to change or neglect policies when appropriate, or at least to initiate policy changes (always assume you are Accountable!).
Did you see the AAA Triplet in the paragraph above? Here is another triplet: There are three levels of defense in an organization: Management, Control, and Audit. Never mix them! And never assume that Control or Audit can establish Security in your organization! What is poorly done in Management may be found by Control and criticized by Audit, but only Management has the means and the obligation to introduce the corrective changes needed.
Did you see the AAA Triplet in the paragraph above? Here is another triplet: There are three levels of defense in an organization: Management, Control, and Audit. Never mix them! And never assume that Control or Audit can establish Security in your organization! What is poorly done in Management may be found by Control and criticized by Audit, but only Management has the means and the obligation to introduce the corrective changes needed.
Compliance (i.e. abiding law, agreements, incl. agreed standards, and policies) will introduce some good "security" and some good "governance", but it cannot give you all you need in either respect; there will be wants and deficits to deal with, which you will not find if "Compliance" is your only tool. And there is an obvious Risk (sic) with a Compliance based approach that you get - and pay for - much more than you need; lookout for the "best practice trap"! This your stakeholders will dislike...
In short: Do not abdicate by letting Compliance (or Audit) set your agenda! You cannot afford it.
Inga kommentarer:
Skicka en kommentar