Policy: The first step toward risk management

When it comes to dealing with risk management issues, think policy first and technology second. Build a defensible case. Once you have a policy in place, technology--in the areas of Identity and Access Management (IAM), Security Information and Event Management (SEIM), configuration auditing, content monitoring, database activity monitoring and IT governance risk/compliance--can help. If you implement only one technology, it should be IAM, with SIEM running a close second. But they are no substitute for solid policy. Configuration management systems can help find faulty business practices, but it's policy that makes users understand what's acceptable usage and what isn't. Configuration auditing technology pinpoints unauthorized changes in the network, but you still need well-defined configuration policies and change management processes. Database activity monitoring technologies are a good idea, but it's not enough; systems must be re-engineered for encryption. IT governance and policy management technology can help businesses strengthen external audit posture and can reduce the cost of control measurement and compliance reporting, but it shouldn't be considered a substitute for policy development work.

Learn more about the importance of policy in risk management:
- read the article at SearchCIO

ALSO: read this on the intersection of risk and compliance