An effective security program begins with sound policy. In many organizations, however, compliance against security policies remains relatively unknown, poorly communicated or misunderstood. Those companies who see regulatory requirements as primarily a burden have a tendency to expend the minimum amount of effort, proactive time and dollars. Policy management by itself does not determine a company's compliance or non-compliance. Those companies who truly seek a benefit from policies, regulations and standards will look for ways in which they will help them be more efficient, more secure, or less risky. Information technology (IT) policies set the tone for enterprise security. Companies need a consistent, automated approach for measuring and monitoring compliance with IT control requirements. Continuous monitoring of technical controls within the IT environment and automatically correlating the control points back to documented policies sets the stage. The result of a well-establish policy management program with continuous monitoring is a current snapshot of enterprise IT risk at any moment in time -- not just before or after external auditors show up.
Obligation vs. Opportunity Derek Gant Risk Management; Sep 2009; 56, 7; Docstoc pg. 58 Reproduced with permission of the copy
Pages to are hidden for
"Obligation vs. Opportunity"Please download to view full document