I think he hits the nail on the head and together with the article I linked to in my previous post, this is the future of Information Security.
I believe the take-away quote is this:
"However, compliance is not a technology problem — it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations."
I think that everyone involved in Information Security should read that, understand it and learn it off by heart. And then practice it.
Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish. Most companies I have worked in (and I have worked in plenty) have no formal process design and so would not be able to properly enforce Information Security properly.
1 comment:
"Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish."
Allen, you will notice that your statement reflects the usual object-centric approach to data classification. The final step is to determine who you trust (in user roles) with the data.
We take a different approach. We determine the relative trust relationships of the user-roels, within user-groups and in the organization and then profile the information they use accordingly. I guess we are starting with the end in mind.
Post a Comment