Find your starting point with IT compliance

Executive Homework

  1. Ask if you currently have an IT Security Framework

    Which framework you have doesn't really matter.  It's more important that you have one.

  2. Ask for an inventory of software in use

    Most companies have an inventory of physical assets.  The physical device is much less important than the information it processes.

  3. Ask What happens if

    Pick a piece of software or computer or server and ask what happens if it breaks for an hour, a day or a week


Even a bad budget is better than ...


Think of security and compliance frameworks like a chart of accounts and budgets.

  • They provide structure. Frameworks allow multiple people to look at the same data in the same way.
  • They provide a way of seeing where you are versus where you want to be
  • They allow for effective planning.
  • They allow for tracking your progress over time.


Good security practices are good security practices. Almost all of any particular framework can be mapped to any other framework. The National Institute of Standards (NIST) even produces a spreadsheet with how to map controls in one framework to controls in another.


Controls are safeguards intended to meet security & privacy requirements; assessing controls verifies that these requirements are met.


Controls are often divided into families or groups much like an income statement is divided into revenue, cost of goods and sales, general and administrative expenses. These control families can sound confusing but in practice, you're probably already doing most of this for other areas of your business.

  • AC - Access Control. (Does that employee really need access to the payroll system)
  • AU - Audit and Accountability. (Does that employee still need access to the payroll system)
  • AT - Awareness and Training. (Phishing training)
  • CM - Configuration Management. (Do you plan your changes in advance or just push buttons)
  • CP - Contingency Planning. (What happens if..)
  • IA - Identification and Authentication. (How do you know who's accessing your systems)
  • IR - Incident Response. (There was a fire. What do we do)
  • MA - Maintenance. (How do we keep things running smoothly)


Your IT person should be able to explain controls in plain English and you should be able to match the relative thoroughness of your business controls to your IT infrastructure. For example, you may have rules about requireing two people to complete a wire transfer. You should ask your IT person or company if they have separate accounts when they perform administrative functions. That's the plain english version of :


Access Control Requirement 3.5.1 controls AC-6 which maps to ISO 27001 controls A.9.1.2, A.9.2.3, A.9.4.4 and A.9.4.5

Employ the principle of least privilege, including for specific security functions and privileged accounts.

DISCUSSION Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

To paraphrase Isaac Asimov the most interesting to hear is not Eureka but "that's funny"


Maintaining a software inventory is an essential part of any organization's security and business operations. Software inventory is often represented as a list of things that need patched or updated. This is not the most important aspect or the most interesting.  


The inventory is important so you can look at the software and see if there's a better way of operating the business. the software inventory should include a sentence or two about what each piece of software is used for.  


Would you want to pay to maintain software that accepts American Express payments if you no longer accept American Express? would you prioritize maintenance on the unknown system sitting on the floor? What if you knew the software running on it was the one that sent out millions of dollars worth of bills to your customers every month? Would you be interested to know if different divisions of your company had all signed up for different software platforms on their own and weren't talking to each other?

Expected profit is the probability of receiving a certain profit times the profit, and the expected cost is the probability that a certain cost will be incurred times the cost.

Expected Value = Probability x Impact

When I teach scouts about being prepared, we start with a list of things that can happen and then think about what we would need in that situation.


I cut my band-aids.

I cut my finger really gauze pads and tape.

Someone twisted an a splint.

Ask what happens when you lose your Internet connection what functions will continue normally and what will come screeching to a halt?

Ask how long your warehouse can keep shipping products in the event your warehouse management system goes down. Ask for a list of three things that can break inside the WMS and how long it would take for each of those things to be repaired.

Sometimes there are simple fixes for these issues such as emailing a list of shipments to yourself every morning so that you could work off of an event the system went down.

Sometimes the fixes are complicated and you will want to calculate the cost to the business while those systems are down. If you have 50 people in the warehouse who are shipping products and they all make $20 an hour, downtime would cost you at least $1,000 an hour. If your IT company tells you it might take two days to fix the problem and you run three shifts you can now make a business decision about what it is worth investing to prevent that downtime even if you don't fully understand any of the problems that caused the downtime.


A good IT person will act as a translator helping to translate IT issues into business decisions.