Security & Compliance

“Information security” (or “Infosec”) is defined by United States law as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to ensure confidentiality, integrity and availability (CIA) . The Federal Information Security Management Act of 2002, or FISMA, elevated information security as an economic and national security interest of the United States.

It has become an increasingly important part of IT; in fact, since the inception of this blog in 2009, visibility of the function and the need for the skills has grown multi-fold. Security is a critical responsibility of the IT manager, and regardless of whether an organization has a separate security group and CISO or not, there should be an Infosec program.



As if actual security issues were not enough, IT managers must also contend with perceived security issues in the form of legal regulatory requirements it must adhere to. This is typically referred to as “compliance” or by the acronym GRC, for Governance, Risk Management and Compliance. Sources of these compliance burdens include  HIPAA (Health Insurance Portability and Accountability), SOX (Sarbanes-Oxley), GLB (Gramm–Leach–Bliley), Payment Card Industry Data Security Standards (PCI DSS), Basel II/III, etc…

SOX is particularly burdensome to IT due to its vagueness.

The standards bodies that the industry look to for direction in information security are ISACA, ISC2, and NIST (FISMA).

The cornerstone of IT’s role in information security and compliance is the information security policy.