Enterprise IT Security Compliance In Five Simple Steps

Maintaining IT security is a constant struggle for enterprises in both the public and private sectors. The adoption of cloud computing, bring-your-own-device (BYOD) policies as well as the pervasiveness of 'Shadow IT' within organisations are compounding the issue. We break things down in five steps to make security compliance just that little bit easier for your business.

IT picture from Shutterstock

Security compliance standards are readily available across various industries. We have the Australian Signals Directore (ASD) standards for government agencies and PCI DSS for the payments industry, but they're not exactly easy to follow. These standards usually involve a plethora of very technical controls that organisations need to implement and it's often difficult to communicate them to employees and business leaders who have little understanding of IT security.

It is crucial that all employees are engaged with the security practices of their business, so on top of the usual standards that can be adopted for security compliance, companies need to look at setting up internal controls that are palatable for those who aren't particularly technical. Tenable Network Security CEO and industry veteran, Ron Gula, recommends adopting these five steps to improve the level of IT security for organisations:

Track your authorised inventory of hardware and software

It sounds simple enough but there many workers are bringing their own devices from and connecting them to the corporate and using third-party applications that are not approved by their IT departments, which makes hardware and software difficult to track.

As noted in our previous Shadow IT story, having an open dialogue with employees is important. Most workers don’t want to deliberately break the rules but may feel like they have no choice because the IT provided by their companies are so inadequate. Understanding the gripes of these workers and letting them know the potential security risks are crucial steps in remedying tackling the issue.

Continuously removing vulnerabilities and misconfigurations

According to Gula, organisations usually spring into action when a breach occurs but by then then it'd be too little too late. Companies can become lax in actively seeking out security holes in their networks but that is a key part of preventing incidents from occurring. Gula's advice to enterprises is to adopt real-time auditing of their corporate networks to remove vulnerabilities and misconfigurations as they are found.

Network security should be a daily habit to stem the tide of vulnerabilities

Security should be something on the front of minds for enterprises and employees need to be mindful that they each have a responsibility in protecting their organisations. Having visibility over what's happening on the corporate network and reviewing it on a daily basis are things that every company should do.

Giving users access to only what they need

Not all workers require accesss to all applications and systems all the time. By being selective in providing access to employees, companies can reduce the potential entry points for security breaches. Of course, don't be too draconian with this approach by locking down everything and requiring workers to go through a lengthy process to gain clearance as it may adversely impact your organisation's productivity.

Search for malware and intruders

Stay on top of IT security news to understand what threats you're looking for. Attackers are constantly finding new ways and acquiring new technologies to break their way into corporate networks and their efforts are becoming more targeted and sophisticated.

Gula notes that theses days, it's not a question of if you will be attacked, but when. Staying vigilant to new types of threats and being on the lookout for abnormal activities on the network is a sound way to prevent serious breaches.

"The controls themselves are good but they don't magically make your business more secure the fact that you're tracking your network and constantly improving your compliance frameworks, that really does work," Gula said.

How does your organisation deal with IT security compliance? Let us know in the comments.


    Love reading your articles on Enterprise IT. If only they taught these in Universities that would save me the time teaching fresh grads sys admin work and why we do it.

    Keep up the work.

      Thank you very much! Good to know I'm doing something right :P haha

    "Giving users access to only what they need"

    Welcome to 1989.... where locking machines down so they can only do what the office Information Prevention Dept says what they think they should be to do, means you're secure.

    No. you're wrong. Protect the data and dont trust the machines but dont stop the users using these expensive tools to make your business faster cheaper and more agile.

      Please tell me you have no infosec responsibilities in your oganisation. The principle of 'least privilege' is a time-honored concept that is as relevant today as it was in 1989.

Join the discussion!

Trending Stories Right Now