Security managers are frustrated; they now have the additional responsibility of ensuring IT regulatory compliance...
and alternatively are forced to spend the time, effort and money on fulfilling auditor requirements that they may not agree with. Additionally, executive management typically equates more budgets and spending on compliance with greater security. While this may be true in some cases, this misconception may give them a false sense of security.
Regulatory compliance does not always lead to better security
The truth is that it's possible to have excellent security and be non-compliant, and it's possible to pass a compliance audit with flying colors and have poor security. The misconception that compliance equals security has led organizations to spend excessively on compliance, sometimes at the detriment of security. Many regulated industries now spend a significant portion of security resources on compliance initiatives. In fact, one enterprise slashed its security budget by 30% and postponed some of its security projects because the resources had to be allotted for dotting the i's and crossing the t's in its Sarbanes-Oxley (SOX) compliance efforts.
Another prime example of how regulatory compliance doesn't lead to better security can be seen in the Federal Information Security Management Act (FISMA) compliance efforts at federal agencies. If grades were a true proxy for information security, we'd have to conclude that the Environmental Protection Agency, which received a 2005 FISMA compliance grade of A+, does a far better job of securing its systems than the Department of Defense (2005 grade: F). However, in reality, the Department of Defense establishes and adheres to a much stricter security regimen for its systems than most other agencies. It does poorly on FISMA assessments because the agency struggles to demonstrate that it's managing all its disparate systems according to FISMA requirements.
Five principles for balancing regulatory compliance with security
Companies that effectively balance security and regulatory compliance don't just follow the letter of the law. They typically go beyond what is required by a regulation, because it makes their environment more secure. Any company that embarks on the compliance journey should adhere to the following five principles to ensure that information security doesn't get left behind.
1. Base your security program on a security framework. CISOs must develop their security programs based on security principles rather than on regulatory mandates. Frameworks like ISO 17799 or COBIT are good starting points. Once the framework and associated controls are established, organizations can map them to current and future regulations, making adjustments where necessary. If a security program is based on compliance mandates, it will have to be updated or changed every time a new regulation comes along or even when an existing regulation is refreshed. Secondly, a regulation typically addresses one particular type of risk (i.e. protecting personal information, protecting credit card numbers, etc.), but does not address business risks including protecting corporate intellectual property or a business model.
2. Leverage compliance budgets for information security controls. Distinguish between security spending and compliance spending. CIOs often lump regulatory compliance spending with information security spending simply because the information security organization has been made responsible for regulatory compliance. CISOs need to educate management that security spending decisions not only extend to fulfilling regulatory compliance requirements, but should also be based on the threats to the organization and aligned with corporate objectives.
3. Automate policy compliance and auditing. Auditors will thank you for doing their work and saving them the time and effort of manually gathering this information. This is a win-win for enterprises and auditors. U.S. federal agencies with successful compliance programs have automated the gathering, measuring, and reporting of compliance data, which makes auditing easier and less time-consuming. For example, the U.S. Agency for International Development (USAID) uses Skybox Security Inc. to receive an up-to-the-minute risk profile of its whole environment. Doing so allows USAID to focus on areas that have the biggest risks while automatically tracking the remediation status auditors can use to demonstrate compliance. Other organizations use security information management (SIM) tools from vendors like Consul Risk Management Inc., Intellitactics Inc., McAfee Inc. (Preventsys) or information risk management tools from companies like Archer Technologies Inc. or Brabeion Inc. to document and automate their security controls for compliance. These tools not only do an excellent job of aggregating data from different part of the organization, but also automate auditing and generate reporting for individual compliance initiatives.
4. Be prepared to manage change in threats and regulations. Effective security programs can deal with changes in threats and regulations. Enterprises must be able to simultaneously handle the ever-changing information security threat landscape and shifting regulatory requirements. And, CISOs will need to regularly re-evaluate their security and compliance programs to ensure their currency and adequacy. Organizations typically tend to focus on either security or compliance but not both because they think of them as separate initiatives. If security considerations can be included in regulatory compliance projects and visa versa, an organization will be able to deal with both efforts much more efficiently.
5. Create an effective awareness and training program – for business partners as well. Many CISOs rely on technology to solve all their security problems and tend to ignore people and process in the equation. Regulations and standards have increased the awareness and underscored the importance of process, but people still pose the biggest risk to enterprise information assets. While regulations typically mandate security awareness and training, there are no requirements to ensure that the awareness and training are effective. In fact, one organization that was required to conduct security awareness training because of a regulation had its employees attend a three-hour security awareness session every year. While this organization fulfilled the requirements of the regulation, it is not an effective way to increase awareness within the organization because awareness cannot be a onetime effort. You have to reinforce your message throughout the year and through different mediums of communication for it to really affect behavior change.
Today, organizations confront a complex web of compliance mandates and enterprise risks. Historically, they have treated such risks and compliance initiatives as independent silos so they scatter across distributed business operations. However, with the increased focus on corporate governance and enterprise risk management, organizations need to develop and use a coherent strategy to drive sustainability, efficiency and consistency to manage enterprise risk and compliance.
About the Author:
Khalid Kark, CISSP, CISM is a senior analyst with Forrester Research Inc. in Cambridge, Mass where he covers security strategy, including communication strategies, security organization, and the role of information security in corporate governance.