IT Security approach: Compliance vs. Risk
Publié le 28/09/2016
co-écrit par Margot The goal of these few lines is to share some simple thoughts on how to handle IT Security practices and to compare two approaches: the Compliance and the Risk approaches. Since many years IT security has been mostly handled through compliance checklists, based on market IT security standards (ex. ISO 27002, COBIT, NIST), specific IT general controls (ITGC), domain specific best practices or regulations (ex. Sarbanes Oxley, PCI-DSS), and internal security policies (resulting from previous). Today with the threat landscape evolving, the company's IT security exposure increasing and the tight budget management, this multi checklists approach is not appropriated any more, for two practical reasons:
- Cost: it is too expensive to implement on the entire company’s scope
- Efficiency: it is inefficient to cover new threats on the whole IT scope
- In one hand, build a prioritized list of measures (organizational, functional and technical) to be implemented, based on the criticality of the risk they cover. This list should be handled at group level and shared with the entities;
- The implementation of these security measures should be performed on defined scopes of the company based on its businesses, its critical data and IT risks. This definition is to be performed within each entity;
- The prioritized list of security measures is to be regularly updated based on technology evolution and concrete vulnerabilities detected through audits, vulnerability scans, penetration testing, etc.
- The companies to correct already known vulnerabilities and
- The pen tests team to go deeper in their analysis and find new vulnerabilities rather than always exploiting the same ones.