CHICAGO -- The best way to meet "squishy" security provisions in regulations like Sarbanes-Oxley is to match appropriate controls against anticipated threats and create a defensible case to support those decisions. Otherwise, enterprises risk devoting too few -- or directing too many -- resources to come into compliance, according to Paul Proctor, META Group's vice president of security and risk strategies.
"Regulations recognize you can't protect yourself from everything," Proctor told delegates at Thursday's Information Security Decisions conference. But, he acknowledged, their built-in flexibility also can work against an organization if controls aren't mapped to a proactive, process-oriented security program based on an ongoing risk assessment.
Corporate governance-oriented SOX, which holds public companies' top executives accountable for internal data controls, is especially vague on security. "Sarbanes-Oxley is the absolute worst," Proctor said. "They don't tell you what you need to do at all. Of course, they'll throw you in jail if you don't do it properly."
With the deadline for compliance set for Nov. 15, many SOX-covered companies are scrambling to meet audits of their annual records. But, according to META, there are more than two dozen regulations significantly driving for security and risk management activity.
Companies that must meet multiple regulatory laws should find common denominators and then roll out a security program based on the general legal requirements, such as record-keeping, incident reporting and following best practices.
In particular, Proctor offered the following steps to meeting various regulations.
- Develop lighter, faster, scalable risk assessments done on a regular basis. Most importantly, define the organization's "reasonably anticipated" risks to determine priorities by criticality and likelihood of occurrence.
- Establish effective controls with selected criteria, such as the enterprise's size, complexity and capabilities. These should include measurable processes that demonstrate accountability and transparency -- two cornerstones of corporate governance models.
- Build a defensible case for anyone likely to challenge those controls, such as data owners and both internal and external auditors who ultimately decide who is and isn't meeting security and privacy guidelines. "It turns out that compliance is really negotiating with your auditor. Nobody wants to admit that," Proctor said.
- Finally, create a proactive, dynamic security program that meets standards of due care. Too many organizations set requirements that go beyond "reasonable and appropriate" controls based on the wrong interpretation of the law. "The reality is regulation actually wants you to do something about this stuff. They just don't tell you exactly how to do it."
Not only will following these steps help businesses meet existing regulations, Proctor maintains, but it'll better prepare them for what's ahead. "More regulation is coming," Proctor told the audience. "You need to start getting ready for it now."