This year compliance, next year control

Regulatory compliance and information security reached critical mass in 2004 -- it was the prep year for complying with HIPAA security and SOX 404. SB 1386 had everyone talking, and the identity theft epidemic finally jarred the American public into understanding the ramifications of privacy. Executive responsibility (thank you SOX) put pressure on board room members to get serious about security compliance, and legislatures from California to Washington DC piled on the regulations.

We're entering the age of corporate governance -- where security and risk management controls are key to enforcing the policies and procedures that make good risk management, and good business. Here at META Group we track the progression of organizations through the stages of proactively addressing risk management. In 2004 we saw the largest collective increase in maturity throughout our client base driven primarily by regulatory compliance concerns -- that's hundreds of enterprises with billions of dollars in revenues vigorously addressing policy, and applying process and formalization in their security programs.

• Peruse these resources on SOX security best practices.
• Read this Q&A on HIPAA-related policies and regulation enforcement.
• Read how a pre-audit can help you determine your compliance strategy.

The next step for these organizations is to select practical and appropriate controls (processes or technologies), based on reasonably anticipated risks, which are used as a countermeasure for risk mitigation. Typically auditors are more interested in your written procedures and process for implementing a control than they are in the automating technology. For example, it is more important to have a documented and reasonable process (manual or automated) to analyze event log data than to have fully automated centralization and analysis.

Organizations also need to build a defensible case that proves their choices were correct for their organization. You can't protect yourself from everything so you have to select controls that protect you from reasonably anticipated risks. Compliance is ultimately a negotiation with an auditor because there is no definitive assertion of what equals compliance with any security regulation.

Enterprises will no doubt turn to technology to help them implement appropriate controls. META Group has seen significant increase in interest and sales for VPN, security information management and identity management technologies. Most products provide value as enabling security controls. But the vendor you want to talk to is the one offering to help you build the defensible case that their product automates your processes and protects against reasonably anticipated threats in your enterprise.

Organizations have an opportunity in 2005 to capitalize on their executives' focus on compliance to create good control environments, select and implement a good control set, and formalize their security programs for success. We've never seen this level of executive support and it's predictable that their interest will wane as they begin to feel as though the problem is "solved." It's important that security professionals seize this opportunity to get a jumpstart on their organization's next level of security and risk management.

About the author
Paul Proctor, CISSP, CISM, is the Vice President of Security and Risk Strategies for META Group Inc. He is a recognized expert in the field of information security and associated regulatory compliance issues surrounding HIPAA, Sarbanes-Oxley and GLBA.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   Enterprise Data Protection,   Identity Theft and Data Security Breaches,   Guest Commentary,   Security Audit, Compliance and Standards,   HIPAA,   Sarbanes-Oxley Act,   IT Security Audits,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT HIPAA Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist Quiz: How to meet HIPAA compliance requirements HIPAA Research Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research Enterprise Risk Management: Metrics and Assessments Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud Enterprise Risk Management: Metrics and Assessments Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.