Over the years, these countermeasures and policies have accumulated. Some
are still in use even as the company seeks the next best mousetrap and
others have been cast aside as their utility faded or they were replaced by
something else.
These various solutions have likely worked fairly well at keeping the com-
pany’s applications and network safe from various threats. However, as you
seek to gain a better idea of your inventory and start poking around the
garage, the basement, and the attic, you may begin to realize that your
application security tools and policies lack a common approach or oversight.
Therefore, it is important to take a look and see if this is true for your com-
pany and if so, implement a plan to bring uniformity to the company’s
approach based on accepted best practices.
Consolidating the IT infrastructure makes sense, particularly for global com-
panies. For example, IBM is consolidating its back office functions and moving
them into global regions — procurement in China, service delivery in India —
and building shared service centers and centers of excellence as a way to
improve efficiencies and develop new products and services. To do all this,
IBM overhauled its management culture. By consolidating these functions,
they can be optimized so that they cost less and also more consistently man-
aged. Managing compliance in one location is obviously much more efficient
than managing it in many locations around the world.
Making friends with the IT department...........................................
As you begin to look at the various frameworks upon which the company
could build its own system, dig into threat modeling, and consider how to
defragment your security assets and policies, it’s also a good time to bridge
what can often be a rather large gap between the IT and business sides of the
business. The following points, taken from “New Era of Corporate Governance:
Application Security Implications of Sarbanes-Oxley Act of 2002 and Proposals
to Securities and Exchange Commission,” by Gary Dickhart, should help by
providing a starting point for those efforts:
�Make sure that there is a process to facilitate knowledge sharing
between the business and IT sides
�Simplify technical information so that it is accessible to non-IT personnel
�Application security counter measures — policies and technical tools —
should be a part of daily life for managers
�People close to the daily operations of the company should handle
security-related activities in order to best monitor trends
�Align all processes, policies, and countermeasures with best practices
274 Part IV: Managing the Flow of Information
