Managing information risks: Do you have IT governance?

With documentation, I see everything from stale policies addressing 5 1/4-inch floppies and Word macro viruses to incident response plans focusing on what to do when the network is attacked via dial-up modem. I even see outdated references to auditor checklists with eight or 10 questions concerned mostly with passwords being at least six characters long and containing both letters and numbers.

Ask Kevin your own IT governance question Did Kevin miss an IT governance issue that's specific to your network security concerns? If so, send him a question and look in our "Ask The Experts" library for his response.

Likewise, when it comes to security controls, I see and hear everything from audit logging that tracks every event under the sun without a single person monitoring what's going on to "Yep, we have a firewall and antivirus software -- that's all we need, right?" Or, how about this one: "We trust our employees -- we gave them a copy of our policy document when they started working here and they know to be on the lookout." There's even my favorite: "We perform ongoing security testing. Here's a copy of our report from three years ago." Even with all the known hacks, social engineering breaches and clear and concise compliance requirements, this mode of operation is still what's driving the information security function within a lot of organizations.

Let me get to the root of the problem: It's the higher ups on mahogany row. You know what I mean … your boss and his colleagues who can't be bothered with the burdens associated with information security. By and large, management is disconnected from information security and IT governance in general. In fact (see if you recognize this), if something bad ever happened -- be it a lost laptop, a social engineering attack, a widespread malware outbreak or whatever -- and systems were down and information was lost, those higher ups really wouldn't have any good answers for the auditors, regulators, investigators, business partners or shareholders.

Many managers hold the belief that they need to focus on what makes money and let someone else -- like you, the network administrator -- manage all that annoying hacker, virus and compliance stuff. It's a lot easier for them to bury their heads in the sand and pretend that none of it affects their business and their bottom line.

The problem doesn't stop there. It's up to you to make some of it happen. This requires having goals, documenting how you're going to meet those goals and prioritizing how you're going to get there. I know this is easier said than done, especially when you've got major projects to manage and users breathing down your neck who need something new each day.

A good place to start is to get management to buy in to the goals that you've set.

In terms of IT governance and managing information risks, unless you have sustainable, repeatable and automated (where possible) processes combined with reasonable policies that are enforced by technical and human-based controls, there's still some work to do. Don't worry -- all of this compliance and governance stuff is still in its infancy and will always be a work in progress. Do your organization and your career a favor and educate yourself on the fundamentals, which are:

1. Understand that threats + vulnerabilities = risk
2. Focus on your highest payoff tasks
3. Never forget that reasonable policies that are enforced and kept up to date are a required ingredient
4. Spend as much on sweat equity as you do on technology and services
5. Know you'll always have leftover risks (just acknowledge them, document why you're not addressing them and move on, and
6. Remember, it's all about gaining and maintaining control

If you can fine-tune your efforts in these areas and pay attention to what's best for the business, in a relatively short period of time you'll be able to build out an IT governance program you never thought would be possible. Unlike most things political, this is the kind of governance that's good for everyone.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. You can reach Kevin at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Vulnerability/Authentication tips for Windows Correct improperly assigned user rights in Windows XP Free security testing tools for Windows handheld devices Windows Integrity Control (WIC) in Vista Metasploit 3.1 updates improve Windows penetration testing Cross-site scripting 101: XSS attacks plague Web browsers Windows network rights, password policy and network security testing Top Windows security testing tips of 2007 Network security assessment for network infrastructure Cheap Microsoft licenses for security pros: Microsoft Action Pack Determining the proper Microsoft malware removal tool Microsoft Windows Security: General topics Microsoft Windows Vista: Security feature reviews Hack into a multiple hard drive system Managing a password policy Password cracking and hardening Cracking a hard drive password Plan for a security breach, step by step Tools for storing passwords Alternative encryption methods? Cracking passwords: Eight tips in eight minutes RSA Conference 2007 coverage Microsoft Windows Security: General topics Research Configuration and Deployment How to use a GPO to improve Windows folder security Remote management for Windows system upgrades How to secure BitLocker configurations What's new and improved in IPsec in Windows Server 2008 Have my Windows patches actually been installed? What's hot in Windows security: Ins and outs of Windows Server 2008 Rights management in Windows: Security expert roundup Set write permissions in Windows network folders Windows network rights, password policy and network security testing Network security assessment for network infrastructure Configuration and Deployment Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.