As new regulations and legislation are mandated and existing regulations are changed, organizations face a difficult challenge in becoming compliant. To complicate matters, the language of compliance is intentionally vague and subjective in order to provide a general direction on best practices, rather than clear instructions.
While vague compliance language gives organizations the flexibility they need to adapt their technologies and processes, without proper guidance, it can be costly to achieve compliance and can even result in a failure to comply. Even more troubling, it is possible to be fully compliant, yet still vulnerable to attack. Constantly evolving worms, viruses and exploits mean companies are actually getting hit with new compliance requirements every day.
Below are three tips to help organizations navigate the landscape of compliance, without getting lost in translation:
Create a solid foundation with sound business processes:
The best way to remove confusion is to follow a framework that ties business process to security policies (like ISO 17799, NIST SP800-26, COSO or COBIT). For example, an organization may spend countless hours debating whether or not traffic to a server should be encrypted. Creating a data classification policy combined with standardized security controls incorporated into a systems development life cycle (SDLC) would all but eliminate these debates and expedite the implementation process.
Stay focused on the basics:
Instead of trying to fit complicated req
irements to your organization, start by understanding your needs. A critical way to avoid confusion is to stay focused on the basic questions that will drive each decision:
· What information assets do you have?
· What is the value of the information?
· What are the potential threats to the confidentiality, integrity and availability of your information?
· How can you protect against these threats?
· How do you train employees and partners on your policies and procedures?
Consider the big picture:
Often, organizations get bogged down in the minutia of interpreting compliance requirements, but fail to see the big picture. Conduct a comprehensive risk analysis program to determine how to interpret the rules within the larger framework of your organization's needs.
For example, the HIPAA security rule specifies encryption as an "addressable" requirement, leaving organizations to wonder what level of encryption is necessary, if at all. The easiest way to resolve this ambiguity is to consider how different levels of encryption may impact your greater risk posture. It is worth noting that many organizations are choosing to implement the more restrictive solution as a best practice - even if not specifically required - as it can also enhance the business process.
Regulations such as SOX are currently being examined to make them less vague and to help lower the cost of compliance. However, because the enforcement of compliance is still new and the requirements have not been tested in court, interpretation of the rules will be an ongoing challenge.
Creating a sound framework that demonstrates due diligence will allow your organization to be better prepared to meet the challenges of compliance while designing an architecture that aligns with the needs of your business.
- Ray Gazaway is vice president of services for IBM Internet Security Systems.