While there are increasingly multiple regulations, many organizations still address each set of requirements in isolation. This contributes to the CISO's lack of visibility, and slows their ability to solve issues around priority, security, cost, compliance and complexity.
Implementing best practices results in more effective management, while at the same time greatly reducing costs. This risk-based, top-down approach consists of five best practices:
Aggregate asset information: The first step is to collect information about all assets that are related to the security or compliance initiative at hand. Collect asset information from external systems or by using asset discovery technology. Document relationships and dependencies between various assets. Supplement this information with vulnerability reports, incident reports and a threats database. Classify assets based on their criticality to the relevant business processes.
Adopt a standards-based common control framework: Frameworks or specifications — such as COBIT for SOX compliance or FFIEC for Gramm-Leach-Bliley Act (GLBA) compliance — are being used more and more today. Upon examination, there are a significant number of specific control requirements that are common across the frameworks. As organizations increasingly must comply with multiple regulations, they are using a different framework for each regulation. This results in unnecessary complexity and expense. Controls are deployed and tested multiple times when a single common control could suffice. Using a common control framework mitigates the redundancy and, therefore, the complexity and expense because a common control framework maps controls from multiple frameworks and specifications, such as ISO 17799/27001 or COBIT, to one common set of IT controls. All compliance activities are then performed against this common control set.
Implement controls testing automation. Coping with information security risks is never-ending. New vulnerabilities, threats and attacks are uncovered daily. Systems keep changing. Assets are frequently added, reconfigured or removed. In this dynamic environment, organizations are hard-pressed to clearly identify at any given time which applications or business processes are most at risk and which most deserve attention.
Take a risk-based approach. Assessing risk and using risk metrics helps organizations achieve their IT governance objectives of prioritizing and managing IT security and compliance in a cost-effective manner. Risk management involves assessing, monitoring, analyzing and mitigating risk. A standards-based framework, such as NIST-SP800-30, provides a comprehensive approach to security risk management.
Get visibility into the network. CISOs and their teams need quick and continuous visibility into risk and compliance status and trends across the organization, as well as visibility into individual business units, geographies or divisions. Monitoring the infrastructure in this way should allow for IT teams to understand what actions may need to be taken to protect it, helping to define priorities.
All these steps taken together should help companies get a better handle on what's needed in their environment and what they must do to ensure regulatory demands are being met and complexity is reduced. For CISOs, enlisting more thorough information security practices will mean more predictability, more effective management, lower cost and a greater contribution to the business as a whole.
- Pravin Kothari is the founder and CEO of Agiliance, a company that unifies security risk and compliance management in a single integrated solution.-