Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
|
"Business sees anything having to do with compliance as a necessary evil; they need it because they're being told they need it," Theisen says. "I'm trying to turn that around and say, 'No, you can also use IT governance, self compliance, business operations compliance and security to actually be a market differentiator against your competitors. You can turn it around and use it as a way of doing a better job against your competitors." First Advantage is a data provider, servicing car dealers, mortgage services and employers with credit reports, background checks, skills assessments and more. The California-based company is subject to Sarbanes-Oxley, the Federal Credit Report Act, Gramm-Leach-Bliley, PCI and state data breach notification laws and privacy laws. Some of the regulations' requirements overlap, and prescriptive advice is minimal. In response, Theisen architected what she calls the FERM (First Advantage Enterprise Risk Management) program to identify controls to cover as many regulations as possible. The framework is a blend of COBIT, ISO and NIST recommendations and a mix of manual processes to identify risk and controls and ultimately feed them into a GRC tool from ControlPath, which the company purchased 18 months ago. "We implemented the tool across business units to perform assessment, identification, testing and remediation work |
Requires Free Membership to View
| to ensure we meet compliance for all of our business units," she says.
Theisen compared the manual processes in place prior to automation to typical audit work--lots of face-to-face interviews, surveys and questionnaires to determine what was in place in the different business units and inventory security, risk management, IT governance and other regulatory processes. This information was kept in a spreadsheet--not practical, Theisen says. Now it is updated into the ControlPath tool. "I would always recommend an automated tool," Theisen says. "You do have to have a repository of that information, even if you build an easy Access database. Otherwise, you're going to ask the same questions every year to the businesses. How would you build a baseline? It would be a nightmare to manage your compliance levels manually."
|
This was first published in September 2008
Join the conversationComment
Share
Comments
Results
Contribute to the conversation