In the current software market there is a renewed emphasis on Governance, Risk and Compliance (GRC) and ever more regulatory compliance to be built into projects and change management. “At a high level, it is fair to say that is becoming more challenging than ever because of differing methodologies,” Power says, “I think that is going to continue, particularly in larger projects with multiple vendors.”
A sensitive area we come across is enterprises that have a lot of customers which are competitors of each other, especially in outsourcing and managed services. So you have to have, and prove you have, the electronic equivalent of Chinese walls to separate and insulate the different data and access to it in multi-tenanted ICT infrastructure, Brendan McPhillips, Asystec
Data value and assets
Asystec is a specialist data management solutions company, founded in Limerick in 2011 which now has offices also in Cork, Dublin and Belfast. Director Brendan McPhillips, perhaps unsurprisingly, says that all ICT governance ultimately stems from the organisation’s data. “You have to understand what our data assets are in the first place. Not all data is equally valuable or sensitive, not all data is treated the same. So all governance, risk and compliance solutions have to be designed to match the different kinds of data appropriately. Historically, organisations did not often categorise or organise their data from a GRC point of view.”
That was and still is a challenge, McPhillips says, now combined with a much broader threat landscape with multiple devices, external channels and categories of data access and permissions. “The move today is towards intelligence-driven security, understanding what is ‘normal’ and seeking and monitoring for anomalies. We are more and more seeing smart analytics producing actionable intelligence in the security sphere as elsewhere.”
“We deal a lot with clients that have to prove their compliance to external parties, in handling credit card information, for example, or health information or personal data,” says McPhillips. “Another field is extremely valuable intellectual property, whether the organisation’s own or the property of its clients. All of these are drivers of governance and security. Yet another sensitive area we come across is enterprises that have a lot of customers which are competitors of each other, especially in outsourcing and managed services. So you have to have, and prove you have, the electronic equivalent of Chinese walls to separate and insulate the different data and access to it in multi-tenanted ICT infrastructure.”
Data context
But in the organisation, it is only the business owners who can give the context, the value and the sensitivity for any data. “So once again, that is where the governance and the security brief have to begin. Then the technology specification kicks in. For example anomalous behaviour in a user’s data might be treated very differently from anomalies showing up in a database,” McPhillips said.
“This is all in a context of rapid change and necessarily agile organisations plus the accelerating generation of more data. In today’s world many organisations have increasingly porous infrastructures, in the sense that there are multiple information channels in and out because of links with suppliers, customers and partners,” he says. “It has become more difficult for any risk officer or other executive to sign off on compliance? How do you put all of the necessary controls in place? How do you know they are effective? Like the security threat, the challenges to ICT governance are continuing to multiply.”
Subscribers 0
Fans 0
Followers 0
Followers