My philosophy is that a strong security program leads to compliance, and for that reason, I advise everyone to focus on security first. Implementing proper safeguards will result in compliance with any given regulation.
The reality is that you need some way to map a security control to the appropriate requirement of a regulation to prove that you are doing something. So I see a definite need for some type of catalog. A number of corporate governance consultants and software companies have done similar mappings.
With these compliance and governance offerings, each organization will face the buy vs. build decision. In general, I'm a fan of buying rather than taking matters into my own hands, but this is not always an option. There are clear situations where a commercial offering that focuses on a set of generic controls and common regulations may not fit your environment, especially if you have a very complex and customized one. But those environments are few and far between. Given the significant resource requirements necessary to keep a catalog mapping up-to-date and relevant to dynamic business conditions, I figure most organizations are better off buying.
The biggest challenge you'll have is making the catalogue relevant to a security person's day-to-day activity. Why? Basically because most catalogs and/or mapping is just another set of reports that security professionals need to deal with. Optimally, reporting and compliance can be leveraged with daily operational activities. That way, it's easier to see how implementing new controls or remediating problems can actually have an impact regarding specific regulations.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading