“A day at the beach can turn into a hurricane fast.”
That’s the tagline Sarah Cortes chose for Inman TechnologyIT, her Cambridge, Massachusetts-based consultancy. What’s the context? Disaster recovery, security and preparation for IT compliance audits. I met Cortes at a meeting of the New England Tech Professionals LinkedIn group last night in Waltham, Massachusetts. She provided an overview of IT policies, standards and technical directives to a group of seasoned IT professionals before leading a discussion of how these frameworks relate to actual preparation.
I posted the following updates to @ITCompliance on Twitter while she spoke and engaged the audience.
- Cortes presenting on a true “alphabet soup” of standards/orgs: ISO/ISEC 27000, ITIL, NIST, PMBOK, TOGAF, CMMI for dev, SEI’s CMM & COBIT .
- Important note from Cortes: Many of the “standards” (like COBIT) are frameworks. Adopting them gives auditors a reference point.
- Excellent discussion here by IT pros of the difference between stating ISO/COBIT compliance & genuine quality in IT policy & processes.
- Discussion turning to ISACA technical directives & more granular IT processes & recommendations. Key reference: http://isaca.org
- Wrapping up; Cortes of Inman Tech moderated a useful discussion of compliance standards & audit concerns. http://twitpic.com/1prtm
Aside from the opportunity to meet a dozen enterprise IT professionals, the core of the SearchCompliance.com audience, I took away a number of insights that the tweets above highlight.
First, the number of standards and frameworks relevant to compliance is staggering. Compliance officers and CIOs have long since become well aware of the issue. When Cortes talked about ISO/ISEC 27000, her tongue-in-cheek comment was that 27000 referred to the number of standards it comprises.
Secondly, in Cortes’ eyes there’s a distinction between being compliant with a given framework, like COBIT or ITIL, and running a quality IT department that is prepared for a disaster and has consistently protected critical financial, health and intellectual property data. Demonstrated adherence to these frameworks, especially in documentation of internal processes and policies, will help when the compliance auditors come calling.
The latter part of the presentation ran through dozens of recommendations for given IT policies offered from the Information Systems Audit and Control Association (ISACA). As Cortes noted, the frameworks for security don’t offer specific advice for a given area. ISACA directives do. As I noted in the tweet, more information is available at http://isaca.org.
The final part of the night featured a wide-ranging discussion about life on the “front lines” of the IT department by engineers and administrators who had to mitigate data breaches, prepare for compliance audits and develop procedures to ensure compliance across multiple computing environments. Clearly, these tasks aren’t easy. If you’d like to tell us your story, please write to firstname.lastname@example.org.
Thanks again to Cortes for allowing us to publish her presentation and to Dennis Comeau for the invitation to the meeting.