This year compliance, next year control

Regulatory compliance and information security reached critical mass in 2004 -- it was the prep year for complying with HIPAA security and SOX 404. SB 1386 had everyone talking, and the identity theft epidemic finally jarred the American public into understanding the ramifications of privacy. Executive responsibility (thank you SOX) put pressure on board room members to get serious about security compliance, and legislatures from California to Washington DC piled on the regulations.

We're entering the age of corporate governance -- where security and risk management controls are key to enforcing the policies and procedures that make good risk management, and good business. Here at META Group we track the progression of organizations through the stages of proactively addressing risk management. In 2004 we saw the largest collective increase in maturity throughout our client base driven primarily by regulatory compliance concerns -- that's hundreds of enterprises with billions of dollars in revenues vigorously addressing policy, and applying process and formalization in their security programs.

• Peruse these resources on SOX security best practices.
• Read this Q&A on HIPAA-related policies and regulation enforcement.
• Read how a pre-audit can help you determine your compliance strategy.

The next step for these organizations is to select practical and appropriate controls (processes or technologies), based on reasonably anticipated risks, which are used as a countermeasure for risk mitigation. Typically auditors are more interested in your written procedures and process for implementing a control than they are in the automating technology. For example, it is more important to have a documented and reasonable process (manual or automated) to analyze event log data than to have fully automated centralization and analysis.

Organizations also need to build a defensible case that proves their choices were correct for their organization. You can't protect yourself from everything so you have to select controls that protect you from reasonably anticipated risks. Compliance is ultimately a negotiation with an auditor because there is no definitive assertion of what equals compliance with any security regulation.

Enterprises will no doubt turn to technology to help them implement appropriate controls. META Group has seen significant increase in interest and sales for VPN, security information management and identity management technologies. Most products provide value as enabling security controls. But the vendor you want to talk to is the one offering to help you build the defensible case that their product automates your processes and protects against reasonably anticipated threats in your enterprise.

Organizations have an opportunity in 2005 to capitalize on their executives' focus on compliance to create good control environments, select and implement a good control set, and formalize their security programs for success. We've never seen this level of executive support and it's predictable that their interest will wane as they begin to feel as though the problem is "solved." It's important that security professionals seize this opportunity to get a jumpstart on their organization's next level of security and risk management.

About the author
Paul Proctor, CISSP, CISM, is the Vice President of Security and Risk Strategies for META Group Inc. He is a recognized expert in the field of information security and associated regulatory compliance issues surrounding HIPAA, Sarbanes-Oxley and GLBA.

BROWSE BY TAG Security Audit, Compliance and Standards,   FISMA,   Gramm-Leach-Bliley Act (GLBA),   HIPAA,   Data Privacy and Protection,   Sarbanes-Oxley Act,   Enterprise Data Protection,   Identity Theft and Data Security Breaches,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT FISMA GAO report cites government weaknesses, data leakage DHS fills National Cybersecurity Center post Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance White House cybersecurity czar faces major hurdles Feds should get private sector advice on cybersecurity ICE Act would create White House cybersecurity post Experts alarmed over U.S. electrical grid penetration Group identifies top 20 security controls to thwart cyberattacks FISMA compliance made easier with OpenFISMA FISMA Research Gramm-Leach-Bliley Act (GLBA) Implement security and compliance in a risk management context The road to compliance IBM to boost security spending, push PCI DSS program ISO 27001 could bridge the regulatory divide, expert says Policies and regulatory compliance Where hard drives go to die, or do they? Compliance guide for managers: Lessons learned and best decisions Become compliant -- without breaking the bank Compliance Guide for Managers Making sense of the maze Gramm-Leach-Bliley Act (GLBA) Research HIPAA Cost of security, IT management add up at healthcare facilities, study finds Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist HIPAA Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Federal Information Security Management Act  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary