Due diligence and due care on secure systems

Standards are best practices and it is better to follow open standards to build secure systems. In interconnected systems everybody depends on others. Following open standards make the interconnection easier and leverage interoperability. Introducing propriety security systems is not the best practice. When building a secure system we should consider following control categories. 

• Administrator controls (Defining policies, Awareness training, Risk management)
• Technical controls (Routers, IDS, Encryption, Auditing)
• Physical controls (locks, security guards)

All of these categories have to work together to achieve holistic security.But in the real enterprises there are gaps between technical people and managers. Technical people complain that top management don't listen to their requests. And the managers says that they only hear the request of more money. These gaps creates vulnerabilities in the system. Technical people have to understand to make a business case according to the business drives.

Companies consider only the technology when they building security programs. They should consider technology, business process and people using them. Security people have to understand the regulations and legal requirements (Federal laws, State laws).When laws come in to agencies (regulatory bodies) they define regulations. Also security people have to understand the business drivers and the level of risk.

Due diligence and due care is important in building security systems.Due  diligence is accessing the vulnerabilities in the system and the due care is do something about it and fix the problem. Due diligence is uncovering potential dangers, carrying assessments, perform analysis on assessment data, implement risk management and researching and understanding the vulnerabilities, threats and risks.If you brought in to court because of an attack on the your enterprise security system, due diligence is your protector.

Regulation enforce industries to comply with the security. Regulations are important to prevent corruption. USA took a serious look on regulation  after the ENRON downfall.