Security & Compliance Strategy - What is the Right Approach?
SOX, HIPAA, GLBA, PCI…we have so many regulations now that we know them by acronym. And yet when we need to manage, report and audit them, we still treat each like a separate entity – “I’m getting ready for the SOX audit next week,” or “I have to generate a new report for the PCI auditors.” In many ways its human nature – take care of the urgent so that we can survive to see a new day, but just like the human race has evolved we need to evolve our thinking of how to more effectively manage regulation compliance.
There are nearly 500 different regulations worldwide. Depending on your industry, location and company size, you have to comply with anywhere from one to more than 100 different regulations, not including the internal corporate governance policies that you have to adhere to as well. Unfortunately we are programed to handle one at a time as the audits are all based on each given regulation, so we find ourselves dealing with one fire drill after another. Companies that take this approach find themselves spending more time and money every year to try to keep up with new regulations and updates to existing regulations. This is not a scalable approach.
In addition, while you might be able to pass the audits and find yourself “in compliance,” many companies discover this does not mean they are necessarily secure. Most of the highly publicized information breaches have occurred shortly after those same enterprises were found compliant with key regulations. While the IT security teams were so focused on making sure they passed the audit, they missed the bigger picture of whether the corporate data was properly protected. They missed the forest for the trees.
So, what is the right approach?
Think strategically and act tactically - if you focus on security, you will get compliance as a byproduct. In addition, the vast majority of IT controls that need to be adhered to in any regulation are generally the same across all regulations. By setting up the right controls, you are scaling your compliance efforts to handle dozens if not hundreds of regulations.
There are various approaches to how one might execute on this approach, but one of the best practices I have heard was recommended by an IT Director in charge of managing security and compliance for a global enterprise. He recommends IT Security and Compliance professionals standardize on ISO 27001 and by doing so, they will be able to cover most of the critical regulations in the world today. ISO 27001 is an Information Security Management Systems (ISMS) standard that was published in 2005 and by certifying your company systems under this standard you will discover regulations like PCI DSS, SOX, and Data Privacy standards are addressed. ISO 27001 is effectively a unified framework for IT controls that if followed, enables you to efficiently scale to handle multiple requirements. In fact, the Unified Compliance Framework (UCF) initiative, whose purpose is to map common IT controls across the hundreds of worldwide regulations, is based on this ISO standard.
As an information security standard, ISO 27001 guides you to focus on addressing IT security risk first and enables regulatory compliance in the process. By looking at threats and their potential impact, vulnerabilities and IT controls already in place, you can build a roadmap for where your greatest security risks lie and what needs to be addressed first. This is a repeatable process that you will need to continuously employ to handle the many challenges that could impact company security and compliance.
One of those challenges is the fact that many state and country regulations for information security are not only different, but in fact contradictory with each other. So any business operating in more than one state or country needs to address these reporting differences through policy and IT controls that enable compliance with each standard. As an example, the data privacy laws in European Union (EU) are much stricter than in other parts of the world. It is illegal in EU countries to move personal data out of the county, which certainly poses challenges for companies that operate worldwide.
Another challenge is that no matter strict your processes and how rigorous you follow them, human interaction with corporate data and systems naturally creates vulnerabilities. How many of you have applied a patch only to discover it enabled a new vulnerability?
In order to handle these challenges and the fact that systems, companies and regulations are always changing, the key is to focus on Continuous Compliance – not just setting up the IT controls to get in compliance, but automating and managing them to STAY in compliance. I would bet more than 95 percent of companies are out of compliance against a given standard within 24 hours of passing the audit for that regulation. It’s like cramming for the test, getting a good grade, forgetting most of what your learned, and then having to cram again for the final exam. It’s wasted effort. The most successful companies, the other 3 to 5 percent, realize that it is more important to set up a consistent repeatable process so that the “test” (in this case the audit) becomes simple. Some companies have become so polished at it that their internal audit reports are being accepted by external auditors as proof of compliance which is saving them millions of dollars each year.
When looking at security and compliance solutions you want to choose best of breed while also making sure the solutions are integrated between products from the same vendor as well as with other partners in your IT security ecosystem. Any part of your IT security and compliance infrastructure that is not integrated is affecting your efficiency and ability to scale, as well as creating security risks and compliance holes.
Continuous Compliance also includes creating a culture of security around the company. It is not enough that the IT security folks are focused on security and compliance, everyone in the company needs to be committed to the mission. Leaving your audit reports in the pocket of the airplane seat (yes it happened) is as much a problem as not patching your system vulnerabilities. Awareness is the first step since security and compliance is as much about the people creating and interacting with the systems and data as it is the technology and processes. If employees are educated, aware, and motivated, continuous compliance is achievable and in fact constantly improved.
Where do I start?
Successfully managing security and compliance is difficult in any sized organization, but universally most people will suggest the place to start is by getting a detailed understanding of the standards and regulations that affect you. Unfortunately most people translate this very literally and try to read the volumes of information on each of numerous regulations affected them. In reality, the right approach is to focus on security and compliance will fall in line. Get familiar with ISO 27001 and the Unified Compliance Framework and you will be setting yourself up for scalable success. Use that model to create the processes and acquire the technology your need to best protect your company assets. Then automate the processes to create a continuous compliance model that not only gets your in control, but keeps your in control. See the forest for the trees.
Related Reading: Preparing Organizations for a New Era of Compliance