Become compliant -- without breaking the bank

It's a floor wax! It's a dessert topping! It's a compliance tool!

Vendors have tried to cash in on the compliance crush by promising a cure-all to regulation woes. But by now, you know there's no magic compliance tool -- no "SOX-in-a-box" or "HIPAA-in-a-handbasket" to solve all of your enterprise compliance needs.

Rather, the trick is to understand what these tools can and cannot do. From there, you can determine whether to fine tune your existing infrastructure or invest in new technologies to meet the ever-changing regulatory requirements.

Setting up frameworks

Before you decide on an approach, you need to fully understand the regulations and what they require.

Much of the regulatory legislation pertains to appropriate risk management and business controls, not to prescriptive security settings or systems. The lack of precise prescription is often by design. In the

    Requires Free Membership to View

HIPAA Security Final Rule, for instance, a complete listing of the proposed requirements, public comment and the ruling response are included and provide transparency into the process. But the final rule is very general, lacking specific recommendations for implementation.
Attend SOX Security School
Learn the strategies and tactics you need to apply to your organization to comply with the Sarbanes-Oxley Act in SOX Security School, brought to you by SearchSecurity.com.

The lack of prescription means that companies must perform risk analyses and create their own actionable guidance. Reading through the actual requirements is a great place to start. Then you can review and adopt one of the commonly accepted control frameworks, such as COSO, COBIT, ISO 17799 and ITIL. Remember, more than one of these frameworks can be used. ITIL suggests using COBIT and ISO 17799 for defining "what" should be done, and using ITIL for the "how." The frameworks and legislation can help determine accountability paths, such as who will sign off on risk acceptance decisions. Use these as a starting point from which the key stakeholders -- executives, auditors, IT administrative staff and any other employees involved in the compliance process -- can obtain guidance and insight.

A word of caution: These frameworks are not entirely prescriptive, nor are they a replacement for decision making and self-definition within the organization. Creating policies and compliance rules for a business or entity is a collaborative process in which all stakeholders should participate.

Creating policies

For many administrators, the idea of working "top down" -- from risk assessment and business controls to technical security settings on servers -- may seem out of the ordinary.

Historically IT security has often been "bottom up." Technical IT risk decisions, such as which firewall to install and how to configure it, were made without input from business executives. Today, some IT professionals welcome having the business side more involved with risk assessment. However, the lack of technical knowledge of some business executives can cause frustration, even concern, for security professionals. But keep in mind that this is an opportunity to bring security out of the technical closet and make it a cornerstone of the business risk process. IT can help management understand how mitigating technologies work, how much they cost to run and manage, and what level of assurance can be reasonably expected.

Meanwhile, management is responsible for being part of the oversight process by setting acceptable levels of risk and communicating these to the IT staff. From there, the IT staff can determine what technical security policy measures are required and find tools that can meet those requirements.

Communication and collaboration are critical to a successful transition from regulations to control frameworks to technical policies and implementations.

Implementing technical solutions

Once the framework and policies have been set, it's time to build the security architecture. One way is to translate the control objectives into organizational and IT activities, and then into a technical security architecture.

Case in point: If your organizational objective is to protect personal information from unauthorized access, you'll need to initiate employee training and user awareness. On the technical side, you may need to implement network zoning, configuration management and content controls using a variety of products including firewalls, filtering gateways and vulnerability management software among others. (See Building Frameworks.)

While this process is still fairly high level, it will grow even more detailed as your organization makes additional decisions such as design choices about which firewalls or filtering gateways are selected. Technical security policies and configurations will need to be approved and applied to the various devices in the architecture.

>> Read part 2, Determining whether to fine tune or buy

This was first published in March 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.