Most organizations fall under the purview of two or more regulations, for example: PCI DSS and SOX for most retailers,. Implementing security controls for one regulation, like the 12 requirements of PCI DSS, can and should be directly applicable to the requirements of the other regulation. But maintaining and reporting on such maps can be challenging and resource intensive.
The good news is that there are a number of options to do this mapping. A new generation of security tools called GRC suites, (governance, risk and compliance), are emerging, and one of their key value propositions is to gather data and generate audit-specific reports in accordance with what each regulation requires. But these tools are new, and thus they are still expensive and resource intensive to employ.
A cheaper alternative is to leverage the content developed by the Unified Compliance Framework, a commercial entity that maps IT controls to international regulations and standards. There are several free tools on their site and licensing their content and templates incurs only a modest cost.
Remember, the end goal is leverage. A control should be useful across multiple regulations. Having a map makes this leverage possible.
- Read more about mapping security policies with NAC.
- Are there security management products that track compliance objectives? Learn more from this expert response.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Mike Rothman
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.