Principle No. 1: Focusing on a Few High-Value Controls
Principle No. 1: Focusing on a few high-value controls
Despite this gloomy state of affairs, a more efficient use of compliance and audit solutions is possible. Applying a few key principles are the keys to success. The first of these principles is to focus on a few "high-value" controls that have clear benefit if deployed broadly in the organization. This includes:
1. Data identification: Locate and classify sensitive or valuable data.
2. Identity-based access control: Control who can access this identified valuable data.
3. Data access auditing: Maintain an audit trail of who accesses sensitive data and, whenever possible, what they do with it.
4. Change management: Control and audit all changes to platforms and applications hosting critical data.
5. IT administrator controls: Although admittedly one of the most challenging, this is also one of the most critical controls to achieve. Without reliable auditing of all activities of system administrators-including tying generic system admin account usage to the actual users-it's pretty much impossible to protect much of anything.
6. Third-party controls: Outsourcing needs to be accepted for the major trend that it has become, and sufficient attention must be given to security of third-party consultants and service providers.
These are a good starting point. If they can be broadly and efficiently applied, an improvement in overall security posture will follow.