Flexibility and Compensating Control Potential
4. Flexibility and compensating control potential: Compliance and audit requirements are dynamic: additional systems and applications become "in-scope" and new controls are requested. Select solutions that are flexible enough to meet additional requirements without significantly increasing operational overhead.
Such solutions also need to lend themselves to efficient implementation of control activities that can be used as compensating controls. This will strengthen the negotiating position of the IT security staff when responding to auditors' control objective requests-while simultaneously improving overall risk management posture.
When implementing these suggestions, it's important to keep in mind the powerful morale boost that taking this approach typically generates. Let's face it: Many, if not most, IT security professionals view compliance and audit control activities as largely ineffective and wasteful. In contrast, taking a cooperative approach that focuses on broad application of high-value controls that are operationally efficient is a game changer.
Everyone involved can appreciate the attention paid to the operational impacts of the activities as well as the efficacy of the controls. This, in turn, leads to improvement of both the morale and the cross-functional effectiveness of the teams involved, further driving a more effective risk management posture. By more effectively parlaying compliance and audit activities to achieve greater business risk management, IT teams gain valuable efficiencies that benefit the entire enterprise.
Mitch Christensen is Chief Technology Officer and Chief Architect at PacketMotion. Mitch has more than 25 years of experience designing and developing groundbreaking technologies that include distributed systems, search engine software and large-scale data storage solutions for government and commercial customers. Before joining PacketMotion, Mitch was the chief architect and lead designer for Informatix where he deployed an innovative search engine, document management system, and next-generation paperless payment processing systems for governmental agencies.
Previously, Mitch served as the principal architect at Centegy Corp., where he led the development of the flagship remote integrator business integration server. Mitch also worked as senior architect at The Dialog Corporation where he brought their proprietary search engine technology and massive online content to the Web. In addition, Mitch spent several years doing research and development in the telecommunications industry. Mitch holds a patent for core remote integrator technology. He can be reached at email@example.com.