NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

The rise of information security compliance and regulation

The increase in information security compliance regulations shows no signs of slowing down as more and more business sectors are being required to comply with some form of information security regulations. Whereas a few years ago compliance was only a big issue for central government and the financial services industry, now retailers and local government are affected through PCI DSS and CoCo, and many companies need to ensure that their suppliers are compliant as well.

Of course, compliance and regulation does not only affect IT, but anyone who has been through a few audits will tell you that IT is often one of the main areas of deficiency and is also often one of the costliest areas to address. Although many organisations have the basic IT components in place, they are often not supported by formal policies and controls.

There is also a shift from un-enforced best practices and guidelines towards audited compliance, as recent data loss incidents have shown that guidelines were often not being followed in practice. It seems that for many industries the days of self-assessment may be drawing to a close.

Compliance often requires a substantial amount of work, which can be a headache especially when it has to be done within a tight timescale. This is where prior preparation can help. By preparing for future compliance requirements you can spread the work, and will also be able to address any significant issues in reasonable timescales which can help save costs.

The ISO 27000 series of standards provide a good foundation for most compliance requirements, and having this foundation in place will be a great help for any future audit. A review will also highlight those areas where significant weaknesses exist and give time for these to be addressed in a planned and controlled manner.

For those organisations who will be facing compliance audits in the future, my advice is: do not delay. Although there is a temptation to let other organisations be the guinea pigs, the benefits gained by starting the process early will generally outweigh the disadvantages.