Q

Can one catalog map to multiple compliance standards?

Can one sole resource be used to map security controls to a mass of different compliance regulations? In this SearchSecurity.com Q&A, Mike Rothman discusses the possibilities.

I'm working to create a generic safeguard catalogue that is mapped to many standards. The catalogue could then be used as the sole auditing resource, ensuring compliance with many standards while saving time and money. My idea was to use the COBIT/ISO 17799 (2nd edition) mapping provided by ISACA. Is such a catalogue possible, in terms of mapping to many standards and providing total coverage of information security issues?

My philosophy is that a strong security program leads to compliance, and for that reason, I advise everyone to

focus on security first. Implementing proper safeguards will result in compliance with any given regulation.

The reality is that you need some way to map a security control to the appropriate requirement of a regulation to prove that you are doing something. So I see a definite need for some type of catalog. A number of corporate governance consultants and software companies have done similar mappings.

With these compliance and governance offerings, each organization will face the buy vs. build decision. In general, I'm a fan of buying rather than taking matters into my own hands, but this is not always an option. There are clear situations where a commercial offering that focuses on a set of generic controls and common regulations may not fit your environment, especially if you have a very complex and customized one. But those environments are few and far between. Given the significant resource requirements necessary to keep a catalog mapping up-to-date and relevant to dynamic business conditions, I figure most organizations are better off buying.

The biggest challenge you'll have is making the catalogue relevant to a security person's day-to-day activity. Why? Basically because most catalogs and/or mapping is just another set of reports that security professionals need to deal with. Optimally, reporting and compliance can be leveraged with daily operational activities. That way, it's easier to see how implementing new controls or remediating problems can actually have an impact regarding specific regulations.

More information:

  • Security information management products (SIMs) can address compliance mapping --and much more. Download this webcast to discover their many capabilities.
  • In this Compliance School lesson, learn how compliance control frameworks can improve the risk assessment process.
This was first published in April 2007

Dig deeper on Information Security Policies, Procedures and Guidelines

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close