Most organizations fall under the purview of two or more regulations, for example: PCI DSS and SOX for most retailers,. Implementing security controls for one regulation, like the 12 requirements of PCI DSS, can and should be directly applicable to the requirements of the other regulation. But maintaining and reporting on such maps can be challenging and resource intensive.
The good news is that there are a number of options to do this mapping. A new generation of security tools called GRC suites, (governance, risk and compliance), are emerging, and one of their key value propositions is to gather data and generate audit-specific reports in accordance with what each regulation requires. But these tools are new, and thus they are still expensive and resource intensive to employ.
A cheaper alternative is to leverage the content developed by the Unified Compliance Framework, a commercial entity that maps IT controls to international regulations and standards. There are several free tools on their site and licensing their content and templates incurs only a modest cost.
Remember, the end goal is leverage. A control should be useful across multiple regulations. Having a map makes this leverage possible.
- Read more about mapping security policies with NAC.
- Are there security management products that track compliance objectives? Learn more from this expert response.
This was first published in May 2008