Robert Findlay, CISA
I am always struck that, wherever I work, the basic fundamentals of information security are almost never implemented. It does not seem to matter in which industry, which culture or size of IT department; key controls are rarely if ever addressed when a new system is implemented. If they are, they are rarely thought through, poorly executed, quickly forgotten and allowed to deteriorate. And this has been happening consistently during my 30-year career in IT. And it never gets any better, despite greater audit attention, well-publicized failures and severe repercussions for companies that get it wrong.
Let us take disaster recovery (DR) as a good working example. Although a must have for the vast majority of systems, it amazes me how often it is not even implemented. And often when it has been, it clearly does not cover all the components, backups are not in place, it is never tested, and inevitably there is a failure and the IT manager is held accountable. So why do IT managers not protect themselves and implement the DR solution as part of the initial system implementation? Indeed, why do they not do any of the rather simple security controls that would make their lives so much easier in the medium to long term?
A few reasons have jumped out over the years. First, decision makers, i.e., the non-IT folks, usually start projects often without complete IT input and overlooking some important aspects of a secured initial stage including DR planning. Second, the challenge senior IT team members are facing with limited or no qualifications in the field. This makes it more difficult for them to figure out network security or user restrictions on implementation when the decision makers are focusing more on strategies and new paradigms. Finally, most IT members with good technical training should make the effort to attain more IT security qualifications.
So here is my advice for IT teams when auditing a new system: Make sure that the decision makers have included all needed IT aspects for the project, such as a budget for testing, development and DR environments, and ensure that all IT team members are fully immersed and capable of managing security and DR.