Home > Information Security Magazine > Features > Implement security and compliance in a risk management context
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Implement security and compliance in a risk management context
by Neil Roiter
Issue: Jan 2009
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >

When you build your security program on risk assessment, you are going to protect your company. When you build a program based on compliance, you have, well, compliance.

"We never set the bar for any program based on regulatory expectations," declares Advanta's Holmquist. "I set the bar higher than their expectations. We create as robust a program as we can based on awareness, accountability and the ability to take action.We always exceeded regulators' expectations."

COMPLIANCE IN THE TRENCHES
Risk is also well understood by regulatory auditors and bank examiners, who are not-and should not be-simply working off a checklist.

"With regulators, I've always found I was able to do things with a risk-based approach," says Stiglianese, "as long as I was able to take them through what my methodology was for evaluating risk."

Depending on whom you talk to, compliance in the financial sector is something of a black and white affair, but that's not to say it's all or nothing.

The overriding consideration is the safety of the business-that is to say, is there a real danger that the business could collapse and put customers and other institutions in jeopardy. That's at the heart of many regulatory requirements and a different ...



consideration than the soundness of the business, which speaks more to its level of profitability.

So, while banks should use risk assessment to develop programs that meet or, preferably, exceed regulatory requirements, comply they will. "We follow guidelines laid out for the company," says First Capital's Hogard. "Risk assessment determines to what degree of effort and cost does the company expend making sure we're complying with the regulations."

Hogard applies the 80-20 rule, achieving 80 percent of compliance quickly at 20 percent of the effort, then implementing more effort-intensive methods to enhance compliance.

The key is presenting a plan that makes sense to examiners/auditors. If your company can't implement controls immediately, presenting a risk-based, specific plan-with a time frame-will work.

"Generally, it looks something like a 24-month rolling plan," says Steve Katz, founder and president of IT security consultancy Security Risk Solutions, who managed information security at JP Morgan, Citigroup and Merrill Lynch. "It gives business managers as well as auditors and examiners a sense that you're not just trying to solve the immediate problems. If there are open compliances, you have a plan to remediate over time."

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts