How compliance control frameworks ease risk assessment burdens

Control and governance frameworks like COBIT and ISO17799 can make compliance goals easier to achieve. In this tip, part of SearchSecurity.com's Compliance School, expert Richard E. Mackey explains how to approach these frameworks and why they're helpful in determining how to mitigate risks.

SearchSecurity.com Security School
This lesson is part of SearchSecurity.com's Compliance School lesson, Compliance improvement: Get better as you go forward. Visit the lesson page for more learning resources.

One of the main challenges facing any organization trying to achieve compliance with regulations like HIPAA or the Sarbanes-Oxley Act or contractual obligations like the PCI Data Security Standard is how to structure the compliance effort. Generally speaking, most organizations can understand that they need to keep particular systems and data secure, but they often have a hard time understanding how narrowly or broadly these security requirements should be interpreted. This is where frameworks like COBIT and ISO 17799 can help.

Control and governance frameworks like COBIT and ISO 17799 can help organizations in three ways: understanding the dimensions of security and governance requirements, illustrating the many options there are to meet requirements and structuring an ongoing compliance program.

The dimensions

It is easy to think of the security aspects of compliance as being one in the same with the mechanisms that help you to achieve your security goals. For example, even security professionals often think only of their firewalls, authentication and authorization mechanisms when considering how their information is protected.

However, a more productive way of viewing security is by considering first what you are trying to secure and why. Frameworks require organizations to complete a risk assessment and to identify the information and assets that need to be protected before deciding how to protect it.

When considering risks associated with a compliance activity like SOX, a risk assessment will force an organization to look at the information and processes that may have an effect on the accuracy, transparency and accountability associated with the company's financial statements. The identification and risk assessment process allows the organization to define the scope of the compliance activities and what risks need to be mitigated.

Frameworks also highlight that security is more than the controls surrounding the systems and applications. The full scope of security includes how you are organized -- the human checks and balances in developing, maintaining, provisioning and auditing the business processes that are in your compliance scope. This includes not only internal activities, but also outside ones like service providers.

The broad range of mechanisms

Frameworks also help to identify the many options that organizations can use to mitigate risk. While technologists tend to lean toward technical solutions, the ISO and COBIT standards emphasize the need for policies and procedures and correctly structured business processes to deal with risk.

For example, there are times when the most effective mechanism for ensuring that only appropriate users have access to a company's financial information is to involve the right people in approval and certification of access controls. Sometimes companies can avoid the need for security mechanisms altogether by setting policies stating that sensitive information should only be stored in certain environments or transmitted in particular ways. This kind of control can greatly simplify the compliance task.

The structure of the program

A good deal of the text in framework documents is dedicated to the continuing process of improvement. Compliance with any regulation, contract or standard requires a structured cyclical approach to accomplish its goals. COBIT describes the following process that parallels those found in other frameworks:

  • Define the goals specific to the organization and business context.
  • Select controls to accomplish the goals.
  • Deploy and implement the controls.
  • Assess the effectiveness of the controls.
  • Repeat the process.

The structure reminds us that compliance is a process and not an end state. As a business changes, the environment in which it functions changes; it grows, shrinks, offers new products, deploys new products or is exposed to new threats. As the risks change, so must the corresponding controls.

Furthermore, what was once considered a best practice may not be good enough today. In other words, an adaptive process that recognizes change is critical to any compliance activity. This is what frameworks are all about.

About the author:
Richard Mackey, ISACA, CISM, Vice President, SystemExperts is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences including Information Security Decisions and has taught numerous tutorials on developing secure distributed applications.

This was last published in February 2007

Dig Deeper on IT security audits and audit frameworks