As we roll out compliance workflow I am reminded how information technology (“IT”) is so tightly connected to the concept of compliance. Information, as in vulnerability reports, access requests, firewall logs, hiring statistics and much more, is the key component for compliance. Technology, as in firewalls and workflow, is both the end purpose and solution. You know the headlines, data breaches, ESG issues, government regulations, these are all issues that require corporate compliance measures.
Compliance is basically setting up policies and procedures that ensure best practices for corporate security, effectiveness, goals, etc. and then auditing the adherence to those policies and procedures so that risks can be avoided. The best solution to minimize the deviation from the policies and procedures and to lessen the burden of audits, is to use technology to track the process of gathering, reviewing and approving the information. Wow, that sounds like a great fit for a technology solution, workflow.
Information by itself is just information. The critical component is to have that information reviewed and then appropriate action taken. Take a daily occurrence at our company as an example. We review firewall reports daily to see if there is any suspicious activity. If the report were just generated and automatically filed away, it is useless. But if that report is sent into a workflow, then the responsible party is notified and can review it and if necessary, escalate it to specialists and if needed to a remediation effort. Without that technology process, the information could slip past and compliance crumbles and risk increases.
Technology by itself is not the answer either and is part of the real need for compliance in the first place. Having strong security compliance is critical to keeping corporate information secure. But even the best firewall or password policy might not be enough of a technology solution. The technology needs a process to ensure that firewall rules weren’t changed inadvertently and now allow anyone through to your server. A good compliance process will ensure all firewall changes are reviewed and approved before being implemented and then proof of proper implementation provided.
Once last note on information. Policies and procedures are wonderful things. But in this age of information overload, the extent to which that information is consumed and retained is sketchy. Technology, aka workflow or checklists, can make us humans better able to meet our responsibilities. I can always use a gentle reminder that a new vendor needs to provide a security profile before work can commence or that an exiting client should have its data destroyed or returned to lessen the risk of data exposure. These things don’t happen often but a policy and compliance to that policy is important.
The obvious thing here is that Information Technology is a department in all big companies. IT is responsible for ensuring the corporation decision makers get the information they need when they need it. IT is usually responsible for ensuring the protection of that information too. That protection goes beyond firewalls and can extend to simple solutions that help the corporation stay compliant with its policies and procedures. IT is really connected to compliance and any company that understands that is better for it.