Many organizations have to comply with multiple regulations, such as PCI DSS, HIPAA and Sarbanes-Oxley. Too often...
organizations do just the bare minimum to meet each regulation's requirements, or they focus information security efforts only on systems and data that are subject to compliance. In too many organizations, compliance is perceived as a "check box" exercise -- separate from "real" information security -- that already overworked information security professionals must struggle through.
If managed properly, security compliance standards can be used to strengthen an organization's overall information security program. Integrating compliance efforts with an organization's overall information security program can save money and time, reduce complexity and help create long-term, sustainable solutions for an organization's information security challenges.
Compliance can strengthen an organization's overall information security program in four significant ways:
Increased senior management support
Senior management support is essential for an information security program. Information security professionals should use compliance mandates to get additional face time with senior managers who are often removed from day-to-day information security challenges and processes. Senior managers usually understand compliance, whereas classic information security concepts, such as risk reduction and threat management, continue to be confusing and nebulous to many senior executives. Because they understand many regulations come with unpleasant penalties that could personally impact them -- such as fines for PCI DSS non-compliance causing lower revenue numbers or imprisonment for SOX non-compliance -- senior managers are often interested in receiving regular updates about compliance efforts. While discussing compliance projects, information security professionals should also use the time to educate senior managers about other information security efforts, and to identify managers' security concerns and risk tolerances.
Since senior managers understand relevant regulations must be met, they are often more likely to approve compliance related funding and resource requests than information security requests not directly linked with compliance. Use this to your advantage. Need funds to purchase a security technology like file integrity monitoring solution to comply with PCI? Request it as mandatory for compliance then use the technology in both PCI and non PCI environments. Need another employee to review logs and perform security incident response as part of your organization's HIPAA compliance? Explain to senior management that an additional employee is critical for maintaining compliance then use the employee to improve the security of both HIPAA and non HIPAA environments.
Most regulations are based on the same information security best practices, like strong passwords, detailed logging, role based access and the encryption of sensitive data. Organizations that must comply with multiple regulations should identify the controls common to the regulations and use them to establish an information security baseline throughout the organization. Particularly for organizations with a new or less than robust information security program, using common controls will save time and money by reducing duplication of effort and complexity, and enable both security and compliance teams to focus on a consistent set of controls.
Security policies provide the foundation for an organization's information security program. Most regulations require similar policies such as an access control policy, security incident response policy or a logging policy. Organizations commonly create separate sets of policies for each area of compliance and another set for corporate systems. This can lead to conflicting and/or duplicated policies and having to maintain multiple sets of policies. Instead, information security professionals should create a baseline set of policies, based on common controls, for use throughout the organization. This will save time and money and help ensure the use of consistent security controls and processes throughout an organization.
Standardized technology products and services
Many of the common controls mandated by regulations require implementing security products like encryption, centralized logging, anti-virus and IDS/IPS. Instead of using piecemeal solutions for each compliance area, information security professionals should implement standardized technology solutions -- such as sending all relevant system logs to just one centralized logging solution or implementing just one type of anti-virus software on appropriate systems -- whenever possible across an organization. By reducing duplication of effort, money and time will be saved. An organization's overall security will also be improved because the number of security systems staff have to manage and monitor is reduced and critical security information, such as logs, is consolidated.
Like a person who goes on a crash diet, organizations that comply only for the sake of compliance don't improve overall enterprise security and often find it difficult to establish and maintain an effective information security program. Rather than treating compliance as a separate activity, information security professionals should seek to integrate compliance into the organization's overall information security processes and daily activities. Doing so will save the organization time, money and effort and create a best practices based information security program that addresses both regulatory mandates and ever increasing security threats.
About the author
Steven Weil, CISSP, CISA, CISM, CRISC, QSA, is an independent security consultant. He has 18 years of experience in information security design, implementation and assessment. He has provided information security services to a wide variety of organizations including government agencies, hospitals, universities, small businesses and large enterprises.
Learn some best practices for balancing compliance with security standards
Handling the IT security challenges presented by SOX compliance