Problem solve Get help with specific problems with your technologies, process and projects.

This year compliance, next year control

Paul discusses the age of corporate governance, how companies move from formalizing their security compliance programs to selecting appropriate controls to protect against risks.

Regulatory compliance and information security reached critical mass in 2004 -- it was the prep year for complying with HIPAA security and SOX 404. SB 1386 had everyone talking, and the identity theft epidemic finally jarred the American public into understanding the ramifications of privacy. Executive responsibility (thank you SOX) put pressure on board room members to get serious about security compliance, and legislatures from California to Washington DC piled on the regulations.

We're entering the age of corporate governance -- where security and risk management controls are key to enforcing the policies and procedures that make good risk management, and good business. Here at META Group we track the progression of organizations through the stages of proactively addressing risk management. In 2004 we saw the largest collective increase in maturity throughout our client base driven primarily by regulatory compliance concerns -- that's hundreds of enterprises with billions of dollars in revenues vigorously addressing policy, and applying process and formalization in their security programs.


The next step for these organizations is to select practical and appropriate controls (processes or technologies), based on reasonably anticipated risks, which are used as a countermeasure for risk mitigation. Typically auditors are more interested in your written procedures and process for implementing a control than they are in the automating technology. For example, it is more important to have a documented and reasonable process (manual or automated) to analyze event log data than to have fully automated centralization and analysis.

Organizations also need to build a defensible case that proves their choices were correct for their organization. You can't protect yourself from everything so you have to select controls that protect you from reasonably anticipated risks. Compliance is ultimately a negotiation with an auditor because there is no definitive assertion of what equals compliance with any security regulation.

Enterprises will no doubt turn to technology to help them implement appropriate controls. META Group has seen significant increase in interest and sales for VPN, security information management and identity management technologies. Most products provide value as enabling security controls. But the vendor you want to talk to is the one offering to help you build the defensible case that their product automates your processes and protects against reasonably anticipated threats in your enterprise.

Organizations have an opportunity in 2005 to capitalize on their executives' focus on compliance to create good control environments, select and implement a good control set, and formalize their security programs for success. We've never seen this level of executive support and it's predictable that their interest will wane as they begin to feel as though the problem is "solved." It's important that security professionals seize this opportunity to get a jumpstart on their organization's next level of security and risk management.

About the author
Paul Proctor, CISSP, CISM, is the Vice President of Security and Risk Strategies for META Group Inc. He is a recognized expert in the field of information security and associated regulatory compliance issues surrounding HIPAA, Sarbanes-Oxley and GLBA.

This was last published in December 2004

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.