Compliance Does Not Equal Security

Many business managers assume that meeting compliance requirements and regulations means that the organization has sufficient and effective controls in place to protect against security breaches. Legislation may specify the actions to be taken in the event of a security breach but typically does not identify the controls needed to protect the organization's sensitive information.

Protecting your systems and sensitive data is not easy. Network administrators use many techniques to ensure that basic security controls are in place:

• Access to systems and data is only provided to authorized staff.
• Firewalls are implemented at the network perimeter.
• Anti-malware and anti-virus software is used to protect both workstations and servers.
• Servers and workstations are patched on a regular basis.
• Backups are performed on a regular basis and stored off-site.

Even with security controls in place, hackers use creative ways to by-pass security systems and gain access to data. Altius IT recommends additional safeguards to reduce your risks:

• Assign the role of Chief Security Officer (CSO) to a member of your staff
• Perform a risk assessment to identify your most important assets
• Identify and implement controls to protect your important assets
• Prepare formal policies and an Incident Response Plan
• Ensure agreements with service providers contain the appropriate wording to protect your organization
• Implement a security training program for your staff
• Ensure independent network security audits are performed on an annual basis and after major changes to your systems

A formal network security audit should evaluate over 50 areas including technical, physical, and administrative safeguards and controls that protect information systems and data.  For the business manager, network security audits help the organization identify, manage, and reduce risks before they can be exploited by an intruder.