Tip

This year compliance, next year control

Regulatory compliance and information security reached critical mass in 2004 -- it was the prep year for complying with HIPAA security and SOX 404. SB 1386 had everyone talking, and the identity theft epidemic finally jarred the American public into understanding the ramifications of privacy. Executive responsibility (thank you SOX) put pressure on board room members to get serious about security compliance, and legislatures from California to Washington DC piled on the regulations.

We're entering the age of corporate governance -- where security and risk management controls are key to enforcing the policies and procedures that make good risk management, and good business. Here at META Group we track the progression of organizations through the stages of proactively addressing risk management. In 2004 we saw the largest collective increase in maturity throughout our client base driven primarily by regulatory compliance concerns -- that's hundreds of enterprises with billions of dollars in revenues vigorously addressing policy, and applying process and formalization in their security programs.


MORE ON REGULATORY COMPLIANCE STRATEGIES:
  • Peruse these resources on

    Requires Free Membership to View


The next step for these organizations is to select practical and appropriate controls (processes or technologies), based on reasonably anticipated risks, which are used as a countermeasure for risk mitigation. Typically auditors are more interested in your written procedures and process for implementing a control than they are in the automating technology. For example, it is more important to have a documented and reasonable process (manual or automated) to analyze event log data than to have fully automated centralization and analysis.

Organizations also need to build a defensible case that proves their choices were correct for their organization. You can't protect yourself from everything so you have to select controls that protect you from reasonably anticipated risks. Compliance is ultimately a negotiation with an auditor because there is no definitive assertion of what equals compliance with any security regulation.

Enterprises will no doubt turn to technology to help them implement appropriate controls. META Group has seen significant increase in interest and sales for VPN, security information management and identity management technologies. Most products provide value as enabling security controls. But the vendor you want to talk to is the one offering to help you build the defensible case that their product automates your processes and protects against reasonably anticipated threats in your enterprise.

Organizations have an opportunity in 2005 to capitalize on their executives' focus on compliance to create good control environments, select and implement a good control set, and formalize their security programs for success. We've never seen this level of executive support and it's predictable that their interest will wane as they begin to feel as though the problem is "solved." It's important that security professionals seize this opportunity to get a jumpstart on their organization's next level of security and risk management.

About the author
Paul Proctor, CISSP, CISM, is the Vice President of Security and Risk Strategies for META Group Inc. He is a recognized expert in the field of information security and associated regulatory compliance issues surrounding HIPAA, Sarbanes-Oxley and GLBA.

This was first published in December 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.