Paul Masemola, MiSEC

The systems management software market growth highlights the need for effective management of IT environments.

IT companies continue to seek solutions that reduce ongoing operating expenses, while also aiming to lower the risk of security and regulatory compliance violations. The IDC recently forecast that the worldwide systems management software market will expand faster than many other software markets. Although this growth is fuelled by the increasing importance of using systems management software for better change control, discovery, and compliance tracking, it is important that IT environments are adequately managed for full benefits to be realised.

“It needs to be taken into consideration that IT environments tend to have unique risks associated with them, due to the architectures in place, applications used, and the inherent industry/sector risk landscape,” explains Paul Masemola, MD of MiSEC.

He believes the effectiveness of systems management software largely depends on the pre-work required around understanding the organisational risk landscape.

“Although modern tools are preloaded with controls and compliance libraries for ease of confi guration and reference, like any tool, systems management software is only as effective as the people and the processes within which it is implemented,” he says. “Therefore, the aforementioned pre-work towards managing governance, risks and compliance (GRC) must precede the tool’s selection and implementation.”

According to Chris Hathaway, director of Soarsoft Africa, while policies and processes are a critical part of the information governance process, technology is the enabler for both of these aspects and is the only really effective way to manage the vast amounts of information when action needs to be taken. “Effective retention management, defensible deletion and ensuring critical data is not lost, or even simply being able to fi nd the information when required, is heavily dependent on the actual technology stacks in place,” he says. This is especially true of the unstructured data randomly generated in vast quantities by the so-called ‘information worker’.

“In a world where data volumes continue to increase exponentially, defensible deletion has also become a critical tool to avoid the cost of retaining redundant information while ensuring adequate levels of risk management and compliance,” he explains.

The first step in adhering to GRC policies is discovering all the assets in the organisation, and managing them in such a way as to ensure they comply with corporate policies, says Garth Hayward, regional manager for Africa at Kaseya. “Through discovering all assets, and building an asset register, an organisation allows compliance by ensuring that every single access point on a network, or in an environment, is locked down, secure, and audited. If an asset is not discovered, it can’t be managed. Discovery, therefore, plays a critical part in compliance,” he believes.

Following the development of an asset register, a configuration management database will, via systems management and deployment policies, effectively control what applications are used and allowed on the system, and then automate the removal of software that has not been authorised, or is non-compliant, Hayward continues.

According to Warren Olivier, Veeam Software regional manager for southern Africa, from a data management perspective, monitoring alerts can help companies establish best practices. “By starting to connect the dots before you’ve run out of capacity, you can avoid problems,” he says.

GRC OPERATIONS FAILURE

Failure to effectively manage GRC operations can have devastating consequences to business. According to Masemola, this is especially true for organisations that operate in a highly regulated sector. “The implications of failed controls may include fines, reputational damage and/or business failure. Significant GRC operations breakdowns may be attributable to unidentified or unmanaged single points of failure, the lack of a holistic approach to risk management, or GRC efforts which are too narrowly focused,” he explains.

<a href=

Gareth Tudor, Altonet" />Failure in GRC operations include various risks, from fraud and mismanagement through to disasters that could even result in a total loss of data within the organisation, Gareth Tudor, CEO of Altonet, says. “Furthermore, data loss could ultimately lead to an organisation closing its doors. Another risk to consider that forms part of the GRC agenda is security. Organisations need to ensure that their networks are secure, that their backups are secure and that their information cannot be compromised.”

Olivier believes the biggest information risk challenge to a company is the loss of a company’s own data, more specifically, the loss of customer data, which is now punishable with fines under the Protection of Personal Information (POPI) legislation. “Adding to this, having unplanned and unscheduled downtime can be crippling to a business,” he warns.

Companies are vulnerable to security breaches and information loss when it comes to GRC operations failure, Hayward explains. “Additionally, they face hefty fines if their licensed software infrastructure is inadequately managed.”

He believes outside access to the network becomes a reality when GRC operations fail. “Assets can be compromised if you don’t know what and where they are,” he says. “FICA standards and POPI need to be complied with, which is what we are concerned with regarding systems management, but if policies are not deployed to the access points (mobile, desktops, and laptops), the process is ungovernable.”

Failure in GRC operations can have a number of implications, not least of which is a lack of compliance with the law, according to Hathaway. “For example, King III requires that listed companies safeguard personal information, and the POPI Act extends this requirement to all organisations. Data security is also an issue, and can result not only in breaches to confidential and sensitive information, but also loss of critical business data. In addition, the cost of retaining unnecessary information, which is often the result of a lack of effective GRC, can spiral out of control, and indiscriminate data retention policies can make defence in the case of legal situations difficult and expensive,” he explains.

CHALLENGES

An increase in data complexity, mobility, reliance on technology, undiscovered errors, and hacking, are just some of the many GRC-related challenges that companies face today.

The biggest challenge, according to Masemola, is the evolutionary nature of the business landscape, attributable to mobile workforces, blurred organisational boundaries, consumerisation, big data and the Internet of things. “The advent of all these latest technologies, new business channels and globalisation are rendering organisations almost helpless with regards to managing information risk.”

Garth Hayward, Kaseya

He believes a lot of the complexities companies face regarding information risk boil down to not focusing on the basics. “Companies are frequently too keen to ride the next technological wave – be it cloud computing, BYOD, and so on – without doing the necessary due diligence on the stability and sustainability of the current business and technology environment,” he warns.

Hathaway also believes an increased reliance on technology means it is more important than ever for companies to manage the risks associated with this. “It is also vital to ensure that IT systems and business functions are aligned to support and facilitate strategy, which requires that business and IT work together to solve problems. Balancing the compliance, functional value and cost overhead is also a key part of the challenge,” he says.

According to Olivier, companies need to proactively test that they can actually restore service from backups – or they’re living with a false sense of security. “We’ve seen people lose months of data because they were backing up undiscovered errors. Companies also need to monitor and document their data environments for better resource management, capacity planning and compliance reporting. Yet, most companies never do this management because it’s expensive and time-consuming. Vendor guarantees for software that can make, verify and test backups could buy companies’ risk insurance,” he says.

Hayward believes companies often do not have access to complete information. “Frequently, when entering a new client site, we find that the information on internal systems is hopelessly lacking. Unless the information is complete, relevant, accurate, accessible, and timeous, it is useless,” he says.

One of the biggest challenges is hacking, according to Tudor. “Hacking occurs when networks are vulnerable due to security ‘loopholes’ that allow unauthorised persons to gain access to these networks. The result is theft of information or malicious damage,” he explains.

He believes, especially with the POPI Act, companies need to ensure that customer information is safe and secure, risking criminal charges if customer information is leaked. “Companies will need to prove that they have put measures in place to protect their clients’ personal information.”

LOCAL LAW

Locally, the introduction of the POPI Act will have wide-reaching implications for data protection. Furthermore, existing legislation, such as the ECT Act and King III, continue to affect electronic information usage. Finally, local skills shortages also contribute to the effective management of systems and data.

According to Masemola, the POPI Act will introduce additional requirements from a legislative compliance perspective, which will need to be incorporated into current and future GRC considerations. “It is this continuously evolving legislative landscape that necessitates the automation of GRC capabilities to ensure that organisations do not fall foul of the requirements.”

Tudor believes many organisations are procrastinating until POPI is officially made a compliance issue. “This is mainly due to the fact that there is a lack of knowledge around the Act and the implications if not adhered to,” he says.

SA has strong and well-evolved laws governing electronic information, Hathaway states. “The Electronic Communications and Transactions (ECT) Act governs any electronic business record, regardless of the medium, from e-mails and attachments to instant messages, fax and even data stored on computers. King III and POPI are two further examples of the mature compliance requirements around electronic information in SA. This, in combination with stringent labour laws and strained relations, means there is often a requirement for electronic information to be produced as evidence and monitored for breach of corporate policy,” he says.

Along with the continuously evolving legislative environment, according to Masemola, the continually changing threat landscape remains a key challenge to GRC efforts. “The Symantec 2013 Internet Security Threat Report paints an interesting picture, reporting a 42% increase in targeted attacks in 2012, and that 31% of all targeted attacks were aimed at businesses with less than 250 employees. It also noted that 5 291 new vulnerabilities were discovered in 2012, 415 of them on mobile operating systems, and 32% of all mobile threats steal information,” he cites.

Another key challenge, Masemola continues, especially in large organisations, is the silo approach, which is largely introduced by structural bureaucracies. “Essentially, this occurs when each risk function focuses solely on their areas of concern without consideration of the other. From a big data perspective, this can also prove challenging, when organisations collect large amounts of data and information, and seemingly unrelated GRC incidences may produce trends and clues to mitigating risks and/or ensuring compliance once they are correlated,” he says.

According to Tudor, many companies do not store data off-site, which presents further challenges. “This could be detrimental should data be lost through a disaster such as flooding or fire.

Furthermore, organisations need to also ensure that the data backed up can be restored,” he advises.

The availability of suitably qualified technicians to deploy tools is lacking, which is why automation becomes critically important, explains Hayward. “By centralising the policy deployment, automation can take care of 50%-60% of the work. South African companies regularly look to the recommendations made in King III, but adherence to these and international compliance regulations is extremely difficult without an automated solution – the manpower shortage simply does not allow organisations to have watertight GRC policies in place. Automation effectively alleviates the workload,” he says.

GRC SUCCESS

Proactive risk management, change management, and early warning systems are some of the techniques that can be employed to help ensure effective risk management.

“As a whole, businesses should not be implementing reactive risk management, but being more proactive, adopting a defence-in-depth concept,” explains Masemola. “This is an information assurance concept in which multiple layers of security controls are placed throughout an IT system. Its intent is to provide redundancy in the event that a security control fails or a vulnerability is exploited, which can cover aspects of personnel, procedural, technical and physical [risk management] for the duration of the system’s life cycle.”

He also believes organisations should focus on streamlining their operations, and focus on the basics. “These should include, but not be limited to: defining data and information management policies; identifying and classifying data and information, especially confidential and critical data and information; classifying data sources, transmission channels and storage locations; and addressing the challenges of BYOD, cloud computing and social media with regards to information risk,” he says.

“Generally speaking, if you are not proactive with regards to risk management, it’s too late,” says Hayward. “When it comes to information, there are tools that can remotely wipe devices if they are lost or stolen, but there is no failsafe way to ensure that data is protected after a breach has occurred – something that, unfortunately, many companies realise too late.”

According to Tudor, one reactive risk management approach is to implement early warning systems.

“These warning systems alert organisations of a problematic activity taking place, or unwarranted access. For example, should the backup in process not be equally aligned with the current data, a warning is triggered. This allows the organisation to resolve the problem quickly,” he explains.

Olivier suggests looking at change management/workflow and getting a change control team in place to sign off on all changes to the data environment before they’re implemented. “If something was changed without any approval, they could look at why and how, to prevent disasters. Known as virtual machine life cycle management, a change control team could comprise people from capacity planning, hardware and procurement to incorporate the whole life cycle of an application. Of course, you don’t want to create a bureaucratic environment, but sometimes you need a bit more control,” he explains.

“And test, test, test… practise makes perfect,” he continues. “While you can’t guarantee complete immunity from a disastrous outcome, the more you test your GRC systems and responses, the more waterproof they will become.”

According to Hathaway, risk management is always a combination of people, process and technology. “Without all three in place, it is difficult to have a successful solution over the long term. Getting all stakeholders to work together and leveraging the new and existing technologies can have fast and meaningful results,” he concludes.