Wednesday, October 3, 2012

Saving Money with IT Security Processes. Example 7/26: Early Notice of Regulatory Compliance Changes through Technological and Legal Watch

Article number 7 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Regulatory Compliance requirements are a pain in the back for companies. They've got to reach some government-imposed or industry-imposed requirements and they sometimes have to reach them by using imposed means, tools, technologies...

However, the most costly is not to put the requirements in practice if you know them from the start of projects. The most costly is to modify production afterwards, in haste, in order to comply:
  • The production may incur downtimes and bugs because of the hasty patches.
  • Besides, the architecture may have to be reviewed to support the requirements, and the previous architecture may be obsolete before it has paid off.
  • Eventually, the patched system may be more expensive to operate than if it had been thought about correctly from the beginning.

A good way to prevent such blunders and losses of money from happening is the Technological and Legal Watch process. The goal of the process is to identify emerging threats. Threats can be:
  • Technical, like a new vulnerability.
  • Commercial, like a vendor no more supporting a product.
  • Trends, like the emergence of a new kind of attacks (think XSS a few years ago).
  • Regulatory, like the validation of an industry standard.
  • Legal, like the imposition of a new legal requirement.

The best tool for Technological and Legal Watch process is the RSS feed. Feeds can be collected from related web sites. Feeds can also be created from Google searches (with keywords).