NTA Monitor

Latest News

IT Managers get to grips with Internet security issues

4th May 2010 According to NTA Monitor's 2010 Annual Security Report, the average number of Internet security vulnerabilities afflicting organisations has fallen.. Read More

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The rise of information security compliance and regulation

The increase in information security compliance regulations shows no signs of slowing down as more and more business sectors are being required to comply with some form of information security regulations. Whereas a few years ago compliance was only a big issue for central government and the financial services industry, now retailers and local government are affected through PCI DSS and CoCo, and many companies need to ensure that their suppliers are compliant as well.

Of course, compliance and regulation does not only affect IT, but anyone who has been through a few audits will tell you that IT is often one of the main areas of deficiency and is also often one of the costliest areas to address. Although many organisations have the basic IT components in place, they are often not supported by formal policies and controls.

There is also a shift from un-enforced best practices and guidelines towards audited compliance, as recent data loss incidents have shown that guidelines were often not being followed in practice. It seems that for many industries the days of self-assessment may be drawing to a close.

Compliance often requires a substantial amount of work, which can be a headache especially when it has to be done within a tight timescale. This is where prior preparation can help. By preparing for future compliance requirements you can spread the work, and will also be able to address any significant issues in reasonable timescales which can help save costs.

The ISO 27000 series of standards provide a good foundation for most compliance requirements, and having this foundation in place will be a great help for any future audit. A review will also highlight those areas where significant weaknesses exist and give time for these to be addressed in a planned and controlled manner.

For those organisations who will be facing compliance audits in the future, my advice is: do not delay. Although there is a temptation to let other organisations be the guinea pigs, the benefits gained by starting the process early will generally outweigh the disadvantages.