My philosophy is that a strong security program leads to compliance, and for that reason, I advise everyone to...
focus on security first. Implementing proper safeguards will result in compliance with any given regulation.
The reality is that you need some way to map a security control to the appropriate requirement of a regulation to prove that you are doing something. So I see a definite need for some type of catalog. A number of corporate governance consultants and software companies have done similar mappings.
With these compliance and governance offerings, each organization will face the buy vs. build decision. In general, I'm a fan of buying rather than taking matters into my own hands, but this is not always an option. There are clear situations where a commercial offering that focuses on a set of generic controls and common regulations may not fit your environment, especially if you have a very complex and customized one. But those environments are few and far between. Given the significant resource requirements necessary to keep a catalog mapping up-to-date and relevant to dynamic business conditions, I figure most organizations are better off buying.
The biggest challenge you'll have is making the catalogue relevant to a security person's day-to-day activity. Why? Basically because most catalogs and/or mapping is just another set of reports that security professionals need to deal with. Optimally, reporting and compliance can be leveraged with daily operational activities. That way, it's easier to see how implementing new controls or remediating problems can actually have an impact regarding specific regulations.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ...continue reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.