Standardisation is a great way to create a framework to work within, but ultimately the greatest standard one can follow is common sense. ICT and data compliance however, are a requirement that CIOs cannot escape. But regulatory adherence doesn’t have to be an administrative nightmare for already time-starved IT execs. This blog takes a look at a few key elements that should be on every CIO’s compliance checklist to aid in meeting data compliance challenges in the context of the modern networking environment. These are not at all exhaustive, but form the crux of what should be on every CIO’s mind.
This describes the scope of the checklist , which areas are covered and any assumptions and exclusions. Before SOX(Public Company Accounting Reform and Investor Protection Act of 2002) there was a divide between IT audits which normally focussed on technology matters and internal and external audits focused on financial matters. Nowadays, that divide has disappeared as the relationship between IT management and leadership is closely linked.
Put in measures and systems to record, propose, approve, monitor and approve changes. Before changes are made, change-impact assessments need to be run and input from staff and affected persons, including service providers, needs to be collected and analyzed.
Are there systems in place to schedule and monitor maintenance events? Regular and periodic maintenance events like penetration testing need to be undertaken and audited.
An essential part of IT compliance and business continuity is simulation. Simulations highlight strengths, weaknesses, opportunities and threats; all of which can be used after an audit to make positive changes and build resilience.These simulations need to take place regularly and all affected parties should be notified well in advance.
Threat and risk assessment
One of the cornerstones of business continuity, threat and risk assessment is vital to identify and deal with potential threats and weaknesses. This is an ongoing process
Risk mitigation and disaster recovery
When the pressure is on and systems are failing, disaster recovery and risk mitigation plans can save a company’s bacon. Further to identifying threats and weaknesses, one has to create a mitigation and recovery plan for each potential threat.
An essential part of threat detection, it also provides a way to monitor performance of the various entities in a business. After audit reports have been issued, changes can be made and made part of policy and governance.
Divide et impera is a Latin phrase loosely described as divide and conquer. Use this principle to structure one’s organisation into manageable parts which can be monitored and controlled. These parts can then be managed easier by competent people. Staff will also know the correct person to contact or ask for help when needed.
Controls and monitoring
This describes monitoring and controlling IT systems and infrastructure. Controls are used to manage security and access. Monitoring allows one to gather data that can be used in infrastructure management.
IT compliance doesn’t have to be a grudge-duty
A carefully crafted and organised IT compliance checklist is not only essential to the safety, security and predictability of networking environments, but a key document that forms part of a business’ strategic goals. As IT managers increasingly become drawn into top-level decision-making discussions, it is important for them to influence the business in a technologically strategic way. This includes driving the business forward through technology, while at the same time safeguarding it from over-exposure. Iterative IT compliance checks mean CIOs can be confident that their environments meet the performance, security and compliance demands placed on it.