Tag Archives: fisma

IT Strategy and Governance: Avoiding the pitfalls of Perception Bias…

In a recent article for the Payment Card Industry magazineSecure Payments, I introduced the conceptual idea of Information Technology Governance as a bicycle wheel with the organization being made up of the spokes (representing all initiatives – contractual; regulated; competition necessitated), and the rounded wheel depicting the operating strategy of the business fully integrated and inter-dependent.  Check out the article here online (starting on page 24), or join the SPSP and receive complimentary free copies in the mail.  I distinguish the challenges of organization’s focusing on single regulations as a means to orchestrating their security and compliance programs.  The concept of creating a custom control framework is articulated and broken down in IT Compliance and Controls that I published last year with John Wiley and Sons (for those looking for greater discussion and practical advice).
Why is that wrong – to extend upon the articles points:  The information technology operations of the business are unique to every business, as unique as that of the culture of the business.  While the parts that make up the information technology (routers, switches, clouds, software, etc…) the combination and implementation make up the competitive advantage of the business.  So, if following one regulation is not appropriate for all businesses, is it appropriate for those within that particular industry?  Simply answered, no.
The organization, in the instance of PCI DSS, is susceptible to many different risks.  These risks relate to geography, staffing, operational decisions, and external factors to the business.  Each standard is conceived under the premise that under a single environment XYZ are the risks and appropriate mitigating responses.  This premise falls apart when additional concerns, assets, and risks are introduced.
IT Strategy and Governance must constitute a merging of business aptitude with technology capability.  This shall be a topic that we will revisit with greater specifics and tools to achieve this objective.  Thoughts / Concerns?

Kind regards,

James DeLuccia IV

Devolution, Forrester, Synergies, and reducing TOC

Devolution was pitched yesterday by Forrester Researcher Andrew Jaquith – on a Webcast entitled “Effective Data Security: No Forklift Required”. I quite enjoyed the presentation and thought the concepts were timely and consistent with what have been needed in the market. In fact, I spoke on this last year at the RSA Conference 2008 and dedicate a portion of my book IT Compliance and Controls on this concept. However, my focus was on synergies across business controls and operation targets and less upon the DLP type challenges Forrester was addressing. The Forrester Research provided good details into the expected shifts in budget, but not the shift in how IT functions and security safeguard requirements shall evolve in these situations.

There is tremendous value to be gained from current technology deployments, and tremendous waste occurs when organizations do not communicate. While that is not a very insightful statement one should consider – Organizations that require their technology to met 99.9xx% uptime and undergo several audits on privacy / pci / sox / IFRS / FISMA / HIPAA that do not align these underlying technology components are wasting money and time. Specifically, according to my research and field experience these institutions tend to be more INsecure despite the heavy focus on meeting audit deadlines and customer SLA. To save on budget, regardless of the state of economy, find synergies and move forward with better security and less service problems. A key litmus test – does your staff have to respond more then once for an audit – if so, this is a symptom of wasted effort and untapped budget flexibility.

During the Forrester call there were several great questions posed. If you are able to attend future Research calls I would advise posting questions to ensure maximum value.

Thoughts and Comments?

James DeLuccia IV

**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**