Problem solve Get help with specific problems with your technologies, process and projects.

What's the best way to get started mapping business processes to security frameworks?

Consolidating effort by mapping security controls to business frameworks is a great way to save time. But how implementable is it?

Our organization is looking for ways in which to map business processes to security frameworks. It's a concept management is really keen on, but we're having a hard time getting started. How do we get rolling on a project like this, and what should our ultimate goal be?
Mapping specific security controls -- implementing firewalls, deploying IPS, installing antivirus, etc.-- to both frameworks and regulatory hierarchies is a more common practice, which is all about consolidating effort.

Most organizations fall under the purview of two or more regulations, for example: PCI DSS and SOX for most retailers,. Implementing security controls for one regulation, like the 12 requirements of PCI DSS, can and should be directly applicable to the requirements of the other regulation. But maintaining and reporting on such maps can be challenging and resource intensive.

The good news is that there are a number of options to do this mapping. A new generation of security tools called GRC suites, (governance, risk and compliance), are emerging, and one of their key value propositions is to gather data and generate audit-specific reports in accordance with what each regulation requires. But these tools are new, and thus they are still expensive and resource intensive to employ.

A cheaper alternative is to leverage the content developed by the Unified Compliance Framework, a commercial entity that maps IT controls to international regulations and standards. There are several free tools on their site and licensing their content and templates incurs only a modest cost.

Remember, the end goal is leverage. A control should be useful across multiple regulations. Having a map makes this leverage possible.

More information:

This was last published in May 2008

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.