The Cost of Technology Compliance
Dave Howell, MS, CPPM
Through research, program development and project delivery I manage the delivery cycle to ensure innovation for business and customers.
In 2015 while working with a Fortune 1000 company while briefing the CIO I identified three risks to the data center project: 1.) Immature change management process 2.) Nonexistent Release Management process, and 3.) Nonexistent compliance program.
I am sure this thought rings true for CIOs and CSOs (TSO) since they are the GOTO for every significant penetration and/or hack. CIOs and CSOs must answer to the CEO and Board of Directors and this can be a very painful event including leading to loss of job. Think Target hack a few years back.
The cost of compliance can be quantified against many different factors, such as loss of dollars per hour or day, brand damage, etc. The preference here is for IT to stay ahead of hacks, if that is even possible, to mitigate customer losses.
How challenging is compliance in today’s environment? Difficulty level 10 out of 10. If you don’t believe me, then how do you explain away the block chain hacks in the last year totaling almost $1B in direct investor losses. I predicted in 2015 that block chain was hackable because of network skipping and Ips can be replicated, thus, hacked.
I’m reminded of two tangents, the first is CLOUD and the second is assessments. The first, CLOUD should be a team (Architecture Control Committee) consisting of your Architect, Security Team, Network Team, Storage Team and associated teams which are impacted such as UNIX, Apps, DBs, etc.
The challenge in private/public/hybrid CLOUD or MSP CLOUD is what the provider guards against and what the client guards against. Configuration issues demand that the Client adhere to the agreement and configure accordingly with everybody that is impacted. In considering CLOUD services, you may need to prioritize an assessment tool such as ISO 27001/ISO27002 and/or HiTrust or other assessment tool.
领英推荐
The second issue is compliance assessments. Here an organization must apply the appropriate assessment tools which they feel meets industry best practices. In my current role, CJIS, PCI, HIPAA apply so the question is, “whose assessment do we you use?” FBI manages CJIS, NIST manages 800-53, and so on. The answer lies in each organization’s unique characteristics and the best assessment tool.
I just attended an AWS seminar dealing with their ability to deliver HiTrust Certification, which as you may remember , 3rd-party certification is the hallmark of HiTrust and ISO. My thoughts after hearing AWS is that there is a plethora of vendors who conduct all the mainstream assessments. Choosing a vendor has its own challenges and careful consideration requires due diligence and possibly a weighted scoring tool with DEMOs to evaluate and select a vendor for this important task.
The two components of assessment in technology need to be physical and logical, data center and cyber security. In my past I have developed tools for assessment for NIST, CJIS, and data centers to ensure compliance for CFPB, NCUA, Fed Bank and so on. The key to success for me was creating a rubrik which met the assessment organizations specific targets through a client evaluation step. I created assessments which tracked to specific IT departments and held them accountable for status. Success or Zero Defects doesn’t mean you solved everything, it means that you are aware and have directed a way for you individual teams to achieve the standard.
What have we learned from this information? First, organizations need to appoint within their own organizations an IT POC who will move the organization forward in compliance. Second, the organization must choose the assessment(s) tools based upon the eco-system they maintain. Thirdly, organizations may want to collaborate with their internal Audit Teams so that both teams develop tools to test the readiness of IT and cyber status. Finally, choosing an in-house program or a 3rd-party assessment firm is the final leg for compliance. Organizations must decide on value if developing their internal program will be effective versus paying the extra cost of an external assessment firm like Coalfire or Denim Group whom I have worked with in the past, and the value of their Certification Letter for HiTrust and what that means to an organization’s customers.
I am seeking feedback and if you have any questions for contact me, Dave Howell, [email protected] , 210-618-6566 for more information.