Security compliance: How much is enough?

by Michael O’Dwyer, contributor, The PULSE of IT, November 23, 2015

Excerpt: Businesses should take baby steps when it comes to security compliance, starting with a security standard that is easier to comply with, like the ISO/IEC 27002, which deals with end-to-end security.

“It is easy to understand, and it is up to the company to determine the level of detail. For example, it does not dictate that passwords be eight characters long. It requires that you have a secure log-in control,” said Jeff VanSickel, principle consultant and compliance practice lead at SystemExperts.

Companies may be unofficially compliant in practice already.

“When the company bought its first server, it went through the information security process. The problem was the company opened up the box, installed the server, changed some settings in the name of securing the server, and it didn’t document any of it,” said VanSickel. “When asked if security is in place, it can say yes, but it can’t prove any of it.”

Link to full article: Security Compliance: How much is enough?