Architect Complementary Security and Compliance Programs - Information Security Magazine

Architect Security and Compliance Programs to Be Complementary

Compliance and security are business issues that require business solutions.

It's become popular in the security community to decry compliance as not being the same thing as security. However, the problem isn't with compliance, but rather with business making assumptions about what being certified means. Rather than a measure of security, all certification means is that you meet a certain metric at a certain point in time. In reality, compliance and security programs are constant, ongoing efforts.

We can complain all we like about compliance, but it is here to stay and is likely to get more complicated. The best thing we can do is embrace it and architect our compliance and security programs to be as complementary as possible, with each other and with the goals of the business. There are two important steps to help this effort.

The first is to do a better job educating auditors so they can do a better job assessing the programs. Lots of auditors don't understand security well enough to ascertain whether controls are effective or even where controls are needed. This is a huge problem.

The other step is to understand that compliance, much like security, is not a technology problem--it's a business problem that needs a business solution. Institute sustainable business processes; if you properly leverage people

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

and technology to do this, you achieve compliance and security. Consistent, repeatable processes are the cornerstone of just about every compliance framework today. In fact, compliance and security are almost exclusively about process, with technology an afterthought. Fortunately, fixing processes doesn't have to be complicated; there are three basic tenets to keep in mind:
  1. Separation of duties: Create a simple system of checks and balances, for example by investing expenditure-approval authority and check-writing authority in two different entities or individuals. In a high-risk environment, a company may rotate duties to prevent collusion. For instance, the Federal Reserve Board requires authorization by individuals from at least three different groups to move gold from one vault to another; designated representatives from each of these groups are rotated regularly as well.


  2. Need to know: Limit access to critical information to those few people who have a true need to know. Establish a process for regular review of these access lists. Quarterly or semi-annual review is fairly standard for sensitive applications, augmented by additional reviews triggered when an employee changes job roles to ensure that privileges are not kept by default beyond their relevance to actual job requirements.


  3. Change management: Establish the framework for change--and business continuity--by fully describing the systems that exist. Often perceived as tedious with burdensome documentation requirements, change management is a key control mechanism for managing and securing financial systems. Auditors appreciate the value of solid change management practices, which translates to smoother audits.
An effective change management process is methodical and simple. Document all systems, detail the steps required for changes and establish an audit trail. The documentation serves the additional purpose of forming the basis for a business systems resiliency or disaster recovery plan. Additionally, create a review board to identify hazards, negotiate details and explain and "market" prioritizations to individual work groups prior to changes happening.

Business needs drive the changes in process, and compliance is a major business driver. If a business process needs to be changed, change it. By embracing compliance, security practitioners can kill two birds with one stone. The benefits are lower cost and more reliable operations, less time and money spent on audits, and greater peace of mind for the organization.

This was first published in June 2008