CISO members of Wisegate share best practices for GRC, SIEM and IAM

The CISO members of the social networking community called Wisegate usually share their best practices only with each other. Now Wisegate has compiled and made publicly available some of the members' security tips and best practices for GRC, IAM and SIEM implementations.

A few weeks ago I told you about Wisegate, a new business social networking site for high-level IT and security executives. The idea behind the site is that executives at this level -- CIO, CISO, IT director, etc. -- have few peers or confidants at their own company and they use the other members of Wisegate as confidential advisers and sounding boards. Participants can share war stories and have deep discussions in online forums and on conference calls, and they can poll each other to get real and honest opinions without the hype of marketing-speak.

Like being in the fog of war, sometimes high-level executives don't see all the details about a big project until they step back and survey the situation. This is when they say, "If I had to do it all over again, here's how I'd do it." This is truly how best practices are developed -- by making and identifying mistakes and adjusting for them the next time around.

BACKGROUND: Website offers IT pros peer advice -- no vendors allowed

The Wisegate members have developed plenty of best practices over the years. Collectively, this group has worked on just about every kind of major IT implementation you can imagine, and they have the battle scars to prove it. Now they are starting to share some of their experiences.

Wisegate has just published a collection of its members' security tips and best practices on the topics of Governance, Risk Management, and Compliance (GRC); Identity and Access Management (IAM); and Security and Event Information Management (SIEM). I've excerpted some of their tips below, but you can find the full report at

GRC best practices

The very nature of a GRC tool makes it pervasive throughout all of an organization's systems and processes. This is the only way an organization can automate the collection of information that reveals risks to the business and policy compliance status. In this context, the Wisegate members share their tips about implementing a GRC toolset:

➢ Make sure you understand the operational impacts of the product before you commit to it. GCR products are all-encompassing by nature. Your company's top executives, in particular, will be impacted by a GCR implementation, so make sure they are willing to go through training and to adapt to the new system.

➢ Perform a proof of concept deploying all modules of the tool as part of the PoC. If the PoC is successful, use the instance for your production. Following this process helps you cut costs and develop a working toolset quicker.

➢ Understand that this is a tool that requires care and feeding. A program around GRC must be in place with proper policies, procedures and workflow. If you don't have procedures and workflow around GRC, it can be easy to use what the tool has built-in.

IAM best practices

Strong identity and access management sets the tone for all aspects of application security within an organization. Wisegate members recommend the following:

➢ Start with a thorough assessment of what you are trying to do and really understand the integration points of the different systems and products. Bring in a consultant who specifically has done this type of implementation to help with the assessment.

➢ Send someone from your technical staff to training before you sign with a specific vendor. This gives you the opportunity to learn things you wouldn't get from an evaluation, such as how well the out-of-the-box features will work for your organization.

➢ Be sure to get good definitions of what the access roles need to look like -- exactly what type of user would have access to what. This takes time to figure out.

➢ Develop a provisioning maturity roadmap. Document manual processes then move to request-driven auto provisioning and only to full auto provisioning once data is of sufficient quality.

SIEM best practices

SIEM tools are growing in popularity for their ability to improve both a company's security posture as well as its IT operations. Wisegate members with experience suggest the following:

➢ If you don't have an in-house expert in security technologies -- in particular logs and log management -- rent one. Building the data correlations takes a high level of expertise.

➢ When you plan a logging-monitoring tool for capturing information for investigations, the widest breadth coverage you can do at the time is always to your advantage. If you only cover a few servers initially with the idea of expanding it, there won't be as much value as if you can take the cost upfront and hook the tool into all the strategic systems that you think may be able to take advantage of it.

➢ Avoid internal organizational conflicts. Between the Security team and the IT Operations team, decide who really owns the tool and controls how it is used, and by whom.

If you think you'd like to hang out with the Wisegate members, go to to learn more and to submit your request for membership.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Wisegate social networking connects IT executives to each other for business networking

Where IT pros do their social networking

Your very own club

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey: The results are in