Security & Compliance

Information security is protecting the confidentiality, integrity and availability (CIA) of information system assets. It is a critical responsibility of the IT manager, regardless of whether their IT department has a separate security organization and CISO or not.

As if actual security issues were not enough, IT managers must also contend with perceived security issues in the form of legal regulatory requirements it must adhere to. This is typically referred to as “compliance” or by the acronym GRC, for Governance, Risk Management and Compliance. Sources of these compliance burdens include  HIPAA (Health Insurance Portability and Accountability), SOX (Sarbanes-Oxley), GLB (Gramm–Leach–Bliley), Payment Card Industry Data Security Standards (PCI DSS), Basel II/III, etc…

SOX is particularly burdensome to IT due to its vagueness.

The standards bodies that the industry look to for direction in information security are ISACA, ISC2, and NIST (FISMA).

The cornerstone of IT’s role in information security and compliance is the information security policy.