This leads me to another point. What exactly does compliance mean? Perhaps a good exercise is to sit down with your committee and define compliance and how it fits into the context of your business so you will know what to focus on. In a nutshell, compliance is about doing business within a set of boundaries — in this case, the boundaries are all the requirements of these laws and regulations your business is up against. Make sure everyone is on the same page with this.
If needed, get some of your IT and security product vendors involved. They often have expertise that can help you map out what you are up against; however, do not rely on their marketing hype alone. Rather, get them in on your discussions and talk about how their products can help take the pain out of managing compliance, especially in the area of automation.
Understand What is at Risk
Arguably the greatest oversight related to information risk is people not understanding which sensitive information is where and how it is currently at risk. This is something easily determined by an information risk assessment. Unfortunately, too many people rely on the word of their network administrators or the findings from some high-level checklist audit. That is not enough. You have to dig into your computers, your applications and your IT operations with a malicious mindset using good tools and techniques to find out what really matters. It is OK to start small with a security “review,” but you must eventually leave no stone unturned.
Focus on sensitive information and the problems surrounding it that are both urgent (have to fix it now because it is directly exploitable) and important (we ca not afford for this system to be offline). If you do it right, your risk assessment will show you exactly where you need to focus your efforts and your budget.
Do not re-create the wheel. There’s no need to start from scratch developing a risk framework — it has already been done for you. If you leverage existing standards such as ISO/IEC 27001 and 27002, COBIT and COSO, you can create an overarching framework that applies to every single compliance situation now and in the future.
Automate Where Possible
Static policies, plans and controls are one thing, but automation is going to be the key to effective information risk management down the road. There is just too much to keep up with otherwise. Look at how can you improve information security-related processes to simplify things. If you have the right tools, you will be on top of things rather than having to constantly react. You will know how things are working rather than wondering if things are working.
However, before you go out and buy expensive tools, make sure you are using what you already have to its fullest extent. The “free” controls built into to today’s operating systems and applications can satisfy numerous compliance requirements — that is, if they are being used. Just know that no control, no managed service and no product you can buy is ever going to automatically make you compliant. Neither compliance nor security comes right out of a box.
Ongoing Security Assessments
Security is not a one-time deal and neither is compliance. They are as much a mindset and a culture as anything else — something that has to be nurtured now and moving forward. Time and again, business executives, IT directors and compliance managers will claim their information systems are secure or “compliant” because they had a vulnerability scan last year and everything checked out. If information security were that simple, I and many, many other security professionals would be out of work.
Trust, but verify. Make sure that the right type of testing has been done and is being done on a periodic basis. I can guarantee you that systems (Web applications, network devices, etc.) that have only been scanned once and were subsequently deemed “secure” are security breaches in the making. Things change — you have to be consistent with this. Also, do not forget about the operational side of security. Things like patch management, change management, development processes, documentation reviews and so on. It is often this soft side of the equation that prevents any reasonable semblance of compliance.
Getting Past This Stage