This year compliance, next year control

Regulatory compliance and information security reached critical mass in 2004 -- it was the prep year for complying with HIPAA security and SOX 404. SB 1386 had everyone talking, and the identity theft epidemic finally jarred the American public into understanding the ramifications of privacy. Executive responsibility (thank you SOX) put pressure on board room members to get serious about security compliance, and legislatures from California to Washington DC piled on the regulations.

We're entering the age of corporate governance -- where security and risk management controls are key to enforcing the policies and procedures that make good risk management, and good business. Here at META Group we track the progression of organizations through the stages of proactively addressing risk management. In 2004 we saw the largest collective increase in maturity throughout our client base driven primarily by regulatory compliance concerns -- that's hundreds of enterprises with billions of dollars in revenues vigorously addressing policy, and applying process and formalization in their security programs.

• Peruse these resources on SOX security best practices.
• Read this Q&A on HIPAA-related policies and regulation enforcement.
• Read how a pre-audit can help you determine your compliance strategy.

The next step for these organizations is to select practical and appropriate controls (processes or technologies), based on reasonably anticipated risks, which are used as a countermeasure for risk mitigation. Typically auditors are more interested in your written procedures and process for implementing a control than they are in the automating technology. For example, it is more important to have a documented and reasonable process (manual or automated) to analyze event log data than to have fully automated centralization and analysis.

Organizations also need to build a defensible case that proves their choices were correct for their organization. You can't protect yourself from everything so you have to select controls that protect you from reasonably anticipated risks. Compliance is ultimately a negotiation with an auditor because there is no definitive assertion of what equals compliance with any security regulation.

Enterprises will no doubt turn to technology to help them implement appropriate controls. META Group has seen significant increase in interest and sales for VPN, security information management and identity management technologies. Most products provide value as enabling security controls. But the vendor you want to talk to is the one offering to help you build the defensible case that their product automates your processes and protects against reasonably anticipated threats in your enterprise.

Organizations have an opportunity in 2005 to capitalize on their executives' focus on compliance to create good control environments, select and implement a good control set, and formalize their security programs for success. We've never seen this level of executive support and it's predictable that their interest will wane as they begin to feel as though the problem is "solved." It's important that security professionals seize this opportunity to get a jumpstart on their organization's next level of security and risk management.

About the author
Paul Proctor, CISSP, CISM, is the Vice President of Security and Risk Strategies for META Group Inc. He is a recognized expert in the field of information security and associated regulatory compliance issues surrounding HIPAA, Sarbanes-Oxley and GLBA.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Microsoft needs a reality check Risk Assessment and Analysis Security data lapses hamper researchers Panel: IT governance, risk and compliance program helps reduce expenses Like MLB scouts, IT security pros are turning to metrics Google shares struggle to manage security complexities GRC Tools Help Manage Regulations Interview: Financial Services CISO David Pollino The New School of Information Security Penetration testing: Helping your compliance efforts Failure mode and effects analysis: Process and system risk assessment The pros and cons of data breach insurance Risk Management Metrics and Measuring Risk Security data lapses hamper researchers Next wave of security will be defined by metrics, analysts say Like MLB scouts, IT security pros are turning to metrics Interview: Financial Services CISO David Pollino Failure mode and effects analysis: Process and system risk assessment The pros and cons of data breach insurance Researcher Puts Quantitative Measurement on Information Security Threats Quiz: Developing a risk-based compliance program Sophisticated spam, employee errors continue unabated Why you shouldn't wager the house on risk management models RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary risk analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.