The difficulty with regulation is that it can guide you towards prioritising controls that aren’t the one’s you’d choose based on the business security risk profile. However, it’s worth bearing in mind that regulation is a legitimate risk and just as much a driver as reputational and financial considerations, so it’s only right that it’s part of the mix. In addition, it can be easier to build a business case when there is a clear compliance requirement.
Focussing on the controls that achieve multiple objectives – enhancing security and also addressing other aims such as process efficiency and compliance – can allow several issues to be addressed with a single action or change.
In practice, internal security requirements and those for standards such as ISO27001, PCI-DSS, and legislation such as the Data Protection Act are often different but closely aligned.
The approach we have taken is to integrate regulatory requirements with our own internal expectations in order to measure success against a single standard. If you can meet the requirements you’ve defined, then you know they are right for the business and address compliance issues at the same time.
Compliance can lead to a ‘tick box’ approach, so it’s also important to challenge whether controls are actually effective and implemented properly. For example, it’s one thing to define record retention periods and password standards, but quite another to know you only have information you need and only the right people have access.
Ultimately it needs to be about making compliance requirements work for security, rather than the other way round.
Matt Palmer is a member of the ISACA London Chapter Security Advisory Group and Group Information Security Officer at Skipton Building Society.