To be confident that its activities are compliant with all required regulations, an organisation requires a constantly updated view of its use of information technology. Dynamic network modelling is the answer.
GDPR currently dominates the compliance agenda for EU-based organisations. However, they must also consider many other regulations passed down by national governments, industry bodies and other entities.
Taking a separate approach to complying with each one is laborious and leads to inconsistencies. Dynamic network modelling can provide the insight to ensure the use of information technology is, and remains, compliant with all relevant regulations.
Network modelling to provide IT infrastructure insight
It is hard to understand a complex system and how it might be impacted by changes through looking at the system itself. For example, it is risky for planners to make experimental changes to the signalling on a city’s actual road system in case traffic grinds to a halt. Instead, computer models are built of complex systems to provide visibility into how they work and the impact that changes might have.
Information technology (IT) networks are just such complex systems. A large organisation’s network may consist of tens of thousands of physical and virtual devices, getting more complex as the network extends into new areas. These include the remote IT infrastructure of public cloud service providers, as the use of their services increases, and other elements of physical infrastructure, such as vehicle fleets, pipelines and buildings, which are being digitised for monitoring and management through Internet of Things (IoT) deployments. Furthermore, the decision about what is deployed is increasingly being made outside of IT departments with the increase in so-called shadow IT, whereby lines-of-business and individuals make their own additions to networks.
All this means that the need to model IT networks has become ever more necessary and the models themselves, just like the real networks, have become more complex. A comprehensive, dynamic and regularly maintained model enables even the largest networks to be visualised and tested on a day-to-day basis. Some of the tools that build and maintain such models allow quantification of the networks, providing scores for resilience and security and ensuring the integrity of given network segments is understood. Imagine being able to continuously assess the integrity and resilience of the IT infrastructure that underpins a given business process.
The tools that build and support network models automate many tasks which would otherwise drain manpower. Automated tools do not miss minor configuration errors and policy mistakes which might be overlooked by tired, less efficient human operators. IT managers, freed from mundane details, can operate at a higher level focussing on new digital initiatives and the overall user experience. In short, a network model can measure and improve an organisation’s overall digital resilience (the ability of IT infrastructure to withstand a range of threats and continue to provide on-going services).
Network Modelling for Regulatory Compliance
There is, however, another powerful spin-off from network modelling: the ability to answer many regulatory questions with ease. Imagine being able to confirm compliance to different auditors at any time by running standard reports from a single tool that confirms relevant processes have been continuously running on isolated network segments with proven levels of security. The need to do so is evermore necessary as regulators clamp down on how IT risk is managed and data privacy ensured, whilst expecting open services.
This report looks at how network models can help European IT managers ensure their organisation’s networks have the security and resilience to meet the requirements of some of the most demanding regulations to have emerged or be modified in recent years:
- The EU General Data Protection Regulation (GDPR)
- EU Network Information Security Directive (NIS)
- Payment Card Industry Data Security Standard (PCI/DSS)
- Payment Services Directive (PSD/PSD2)
- The E-Privacy Directive
- The UAE’s National Electronic Security Authority Information Assurance Standards, recent regulation in the Middle East, which gives an indication of where government legislation may be heading.
For specific information, download the Network Modelling for IT Compliance whitepaper.