Most organizations fall under the purview of two or more regulations, for example: PCI DSS and SOX for most retailers,. Implementing security controls for one regulation, like the 12 requirements of PCI DSS, can and should be directly applicable to the requirements of the other regulation. But maintaining and reporting on such maps can be challenging and resource intensive.
The good news is that there are a number of options to do this mapping. A new generation of security tools called GRC suites, (governance, risk and compliance), are emerging, and one of their key value propositions is to gather data and generate audit-specific reports in accordance with what each regulation requires. But these tools are new, and thus they are still expensive and resource intensive to employ.
A cheaper alternative is to leverage the content developed by the Unified Compliance Framework, a commercial entity that maps IT controls to international regulations and standards. There are several free tools on their site and licensing their content and templates incurs only a modest cost.
Remember, the end goal is leverage. A control should be useful across multiple regulations. Having a map makes this leverage possible.
- Read more about mapping security policies with NAC.
- Are there security management products that track compliance objectives? Learn more from this expert response.
Dig Deeper on Information Security Policies, Procedures and Guidelines
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.