There's no doubt that regulatory compliance has changed the role of IT security managers forever. No longer is it enough to find and fix vulnerabilities. Today, security processes need to be well documented and substantiated. So it's not good enough to be secure; organizations have to be able to prove they're secure. If done right, this additional layer of regulatory scrutiny and reporting can help enterprises combine their security and compliance programs better to streamline efforts, control costs and keep networks secure and compliant.
The best way to get there is to adopt IT governance frameworks that not only add more governance to IT operations, but also cover a significant percentage of regulatory compliance mandates, such as those associated with Sarbanes-Oxley, HIPAA, SB 1386, and the Federal Information Security Management Act (FISMA). Three very common frameworks employed today include:
COBIT 4.0. COBIT emphasizes regulatory compliance by helping organizations better align business goals and objectives with IT. COBIT is very granular and detail focused, while also capable of feathering across all levels of an enterprise. It accesses the state of security efforts through its use of the Capability Maturity Model Integration (CMMI).
ISO 17799:2005 (ISO 27001). This widely used international IT security management standard organizes crucial security controls into 10 separate buckets: business continuity planning, system development/maintenance, physical security, compliance, personnel security, security organization, computer operations and management, asset control and policy.
NIST 800-53. This National Institute of Standards and Technology (NIST) publication is a comprehensive collection of recommended security controls for federal IT systems. It describes, in depth, security controls to protect IT assets, as well as how to employ these controls as part of a defined information security management program.
Each of these frameworks is a powerful tool that can be used to provide the management structure and processes necessary for an effective security program, especially in mid- to large-sized enterprises. But frameworks alone won't help security managers streamline their compliance and security efforts if the processes aren't auditable, measurable, repeatable, and, whenever possible, automated. Fortunately, some security vendors are enhancing their assessment tools to combine security and compliance processes. These advancements are allowing organizations to manage their security and regulatory compliance policies more proactively, and reduce costs.
For example, modern vulnerability scanners can assess networks; web, file and mail servers; databases; and core operating system settings and configurations for many security related settings and system data points — and all of these data points are essential parts of the controls that constitute a company's security and regulatory compliance policies. These emerging policy compliance assessment solutions map these controls to regulatory compliance frameworks such as Sarbanes-Oxley, as well as the common security management frameworks. In this way, these solutions can go a long way to help leverage both security and compliance efforts.
That's the considerable power of these toolsets. In addition to the efficiency enhancements and cost savings, they give business managers all of the insights they need to make effective, risk-based decisions through trend reporting. In this way, everyone hits his or her goals as security and compliance risks are mitigated continuously.
Amol Sarwate is director of Qualys' vulnerability management lab.