ISD Conference '04: Regulatory compliance in the real world

By Anne Saita, News Writer 08 Oct 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

CHICAGO -- The best way to meet "squishy" security provisions in regulations like Sarbanes-Oxley is to match appropriate controls against anticipated threats and create a defensible case to support those decisions. Otherwise, enterprises risk devoting too few -- or directing too many -- resources to come into compliance, according to Paul Proctor, META Group's vice president of security and risk strategies.

"Regulations recognize you can't protect yourself from everything," Proctor told delegates at Thursday's Information Security Decisions conference. But, he acknowledged, their built-in flexibility also can work against an organization if controls aren't mapped to a proactive, process-oriented security program based on an ongoing risk assessment.

Corporate governance-oriented SOX, which holds public companies' top executives accountable for internal data controls, is especially vague on security. "Sarbanes-Oxley is the absolute worst," Proctor said. "They don't tell you what you need to do at all. Of course, they'll throw you in jail if you don't do it properly."

SOX info Sarbanes-Oxley Act: Steps toward coming into compliance Some practical advice from a senior IT director on the frontlines. The real deal with Sarbanes-Oxley: Perspectives for the security manager Delve below the surface and examine how SOX applies to the work done by the security manager. 'Typical' SOX violations Sarbanes-Oxley contains many features, but two stand out from an IT security perspective. Key points of Sarbanes-Oxley SOX is mandatory for most public corporations and focuses on regulating corporate behavior to protect financial audit records. Read about the three main areas of SOX that affect IT: Sections 302, 404 and 802. Survey sheds light on SOX spending When it comes to SOX, many CIOs seem to miss the urgency.

With the deadline for compliance set for Nov. 15, many SOX-covered companies are scrambling to meet audits of their annual records. But, according to META, there are more than two dozen regulations significantly driving for security and risk management activity.

Companies that must meet multiple regulatory laws should find common denominators and then roll out a security program based on the general legal requirements, such as record-keeping, incident reporting and following best practices.

In particular, Proctor offered the following steps to meeting various regulations.

• Develop lighter, faster, scalable risk assessments done on a regular basis. Most importantly, define the organization's "reasonably anticipated" risks to determine priorities by criticality and likelihood of occurrence.



• Establish effective controls with selected criteria, such as the enterprise's size, complexity and capabilities. These should include measurable processes that demonstrate accountability and transparency -- two cornerstones of corporate governance models.



• Build a defensible case for anyone likely to challenge those controls, such as data owners and both internal and external auditors who ultimately decide who is and isn't meeting security and privacy guidelines. "It turns out that compliance is really negotiating with your auditor. Nobody wants to admit that," Proctor said.



• Finally, create a proactive, dynamic security program that meets standards of due care. Too many organizations set requirements that go beyond "reasonable and appropriate" controls based on the wrong interpretation of the law. "The reality is regulation actually wants you to do something about this stuff. They just don't tell you exactly how to do it."

Not only will following these steps help businesses meet existing regulations, Proctor maintains, but it'll better prepare them for what's ahead. "More regulation is coming," Proctor told the audience. "You need to start getting ready for it now."

Digg This!     StumbleUpon     Del.icio.us