Businesses face an ever-increasing tide of legislation and regulation. Across the ISF’s 300+ corporate members, meeting these compliance requirements is made more difficult by two problems. First, the management and prioritisation of multiple compliance obligations and, specifically, cross-jurisdictional compliance obligations. Second, many compliance requirements require a multi-dimensional response (people, process and technology), yet the security response is often one-dimensional and technology-focused.
So, how to address these two problems? Businesses – with the aid of their security professionals – need to understand one important concept: compliance does not equate to good security, but good security can help achieve compliance. Starting from this concept, a focus on security basics (which, from the ISF perspective, includes awareness, patch management, access control and regular review and audit of logs, systems and networks) provides the foundation on which compliance can be attained.
In many organisations, demonstrating compliance is an ad hoc reaction to a request for evidence from internal or external authorities rather than a consistent, repeatable process integrated through business operations. Security professionals can help their organisations by implementing a process, such as the compliance management process developed by the ISF.
Such a process would enable the discovery of requirements, definition of responses to meet those requirements, implementing the responses and then monitoring the performance of those responses. The process can be used to demonstrate the confidentiality, integrity and availability of an organisation’s information assets are being undertaken in conformance to clearly defined obligations (laws, regulations, specifications, standards or policies) and in a consistent manner.
Finally, use controls deployed in existing programs to meet more than one requirement: for example, deployed information security controls may be used to satisfy privacy and financial reporting regulations.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).