When the auditors come around
When the auditors come around
Compliance seemed the dominating topic at this year's recent Infosec World
Conference & Expo in Florida.

An abundance of confounding issues for information security pros were covered. Unsurprisingly, though, most talks were sprinkled with mentions of conforming to mandates. That's simply because the problem of maintaining compliance with innumerable industry, state and federal rules is a multi-pronged challenge that's bound to get more complex. Moving beyond a theoretical notion of compliance, as most information security practitioners have learned already, involves what is often noted as a holistic approach.

But choosing the right morsels to take with them on this dense forest path is no walk in the park. IT security pros might as well slap on a little red riding hood and hope they don't meet up with the big, bad wolf.

According to Chevron's Ken Rivet and Emagined Security's David Sockol, who led a session at the conference called “Compliance in the Real World,” it may not be all that bad, however, if folks plan for the trip. A big mistake companies make right at the start is often confusing compliance management with vulnerability management, thinking that testing against known holes in their organizations' infrastructures will lead to an understanding of requirements to meet mandates. Really, however, getting compliant means testing against established policies and standards that are set by the company or regulations, while also meeting the expectations of senior managers, internal departments and, most certainly, auditors – the guys who can help or hurt IT security practitioners, depending on the relationship cultivated with them.

Utilizing standards, companies have to take a top-down approach to compliance, with policies forming the peak at the top and monitoring solutions comprising the foundation. In between, corporate standards are updated to support the policies and a compliance management plan that is “repeatable, sustainable and well-governed” dictates the technological needs – monitoring or otherwise. It's all about taking into consideration technical versus procedural controls, how compliance is measured, and who is involved in the planning and execution of it all.

That way, when the auditors do start asking tough questions, security professionals won't feel like they're confronted by a row of big teeth, but little old friendly grandma who's come around for afternoon tea.



Illena Armstrong is editor-in-chief, SC Magazine.