Network Security
Put the ‘i’ in IT compliance
A holistic, program-based approach can address security and privacy requirements.
by John Linkous
While an enterprise-wide IT GRC program is a starting point, building that program in a manner that avoids the most common mistakes is important.
Today’s information
security and privacy compliance programs
address a wide range of internal
requirements dictated by business
partnerships, established service-level
agreements (SLAs), known and emerging
threats, and other factors driven by both
business and technology. The most effective
method to manage compliance in today’s
complex world is through a disciplined,
holistic approach that addresses compliance
not as a reactive, point-in-time event, but
as a proactive program.
In the field of
information assurance, IT has been focused
on factors such as operational efficiency
and performance. Security of information
rarely came to the forefront, although some
early regulations, such as the Federal
Education Rights and Privacy Act,
established a baseline of explicit data
privacy and implied security. Security and
privacy regulations tended to emerge first
in industries that were already highly
regulated, such as financial services and
utilities, and were limited in scope.
Sanctions were often missing from these
regulations, meaning organizations might not
even suffer penalties for non-compliance.
In 1996, the Health
Insurance Portability and Accountability Act
(HIPAA) changed the landscape of information
security and privacy compliance; it was one
of the first broad regulations that
contained significant information security
and privacy requirements. Because HIPAA
integrated provisions for many different
business areas–IT operations, information
security, HR and audit–it forced
organizations (many for the first time) to
establish a program approach to compliance,
bringing diverse groups within the
organization together to achieve specific
cross-functional compliance goals. HIPAA,
along with emerging frameworks for managing
information assurance such as ISACA’s COBIT
and ISO17799, helped organizations establish
a more comprehensive approach to information
security and privacy compliance management.
As far as regulatory
compliance for information security goes,
the Sarbanes-Oxley Act of 2002 (SOX) became
the gold standard for every publicly traded
company in the United States. Not only civil
sanctions, but also criminal sanctions were
mandated for certain conditions of
non-compliance, and these penalties applied
to C-level executives.
Once SOX was in effect,
corporate boards of directors throughout the
country began to show an interest in
security compliance. By enforcing a
compliance mentality on senior executives,
SOX helped organizations to adopt a
holistic, program-based approach to security
and privacy compliance, in which compliance
reporting and metrics across all applicable
compliance drivers became critical to the
operational success of the company.
With SOX as an indicator
of the future direction of compliance-driven
information assurance, a holistic,
program-based approach can provide the
necessary capability to address security and
privacy compliance across most enterprises.
Building such a program is not a simple
process, however, and requires buy-in from
across the organization. The following list
represents some of the more common problems
many organizations encounter:
Making compliance
regulation-specific. With regulations that
have far-reaching implications and
significant sanctions, taking a myopic view
of information assurance can be easy–by
concentrating the majority of security and
privacy efforts on a single regulatory
element. The danger of this
regulation-specific mentality is that the
organization can fall back into the
"checklist" mentality, which promotes
compliance over reducing risks and improving
security.
Viewing compliance as a
point-in-time event. Internal and external
audits can provide organizations with useful
feedback and recommendations. When the
organization focuses on the audit itself,
however, rather than risk-based decisions
designed to continuously protect the
organization, the threat of those risks
during non-audit periods can become
significantly higher.
Addressing technology
without addressing the business. The purpose
of an IT governance, risk and compliance
(GRC) program is to ultimately protect
business processes. When organizations take
a "throw technology at the wall and see what
sticks" mentality toward compliance, the
real underlying value of information
security and privacy is lost.
Failure to achieve
organizational buy-in first. IT GRC is a
broad-reaching program that requires buy-in
across a broad range of constituents,
including IT, human resources and finance.
In many organizations, however, a
"stovepipe" mentality exists across these
groups.
Inconsistent metrics and
reporting. An organization can only manage
what it can control, and it can only control
what it can define and measure. Inconsistent
metrics and reporting can lead to a loss of
control, which can morph into business and
fiduciary impacts.
Sidestepping these
mistakes while addressing complex, myriad
security and privacy drivers can be a
daunting task, even for the most
knowledgeable of organizations. While an
enterprise-wide IT GRC program is a starting
point, building that program in a manner
that avoids the most common mistakes
outlined above is important.
Make compliance a
holistic effort. Effective information
assurance efforts address all factors that
drive compliance, including regulations,
adopted best practices and frameworks,
business partner agreements, internal
policies and known threats. Standardizing on
a software platform to help manage security
and privacy compliance efforts can provide
value; however, standardizing on tools that
are flexible enough to support all
compliance drivers is important, rather than
only supporting selected regulations and
best practices that may not even be accepted
by the organization.
Build an IT GRC program.
An IT GRC program is a full-time business
process requiring dedicated personnel,
coupled with communication and management
tools. While these tools provide value to
the compliance process, they do not (and
cannot) replace the people and processes
that form the foundation of IT GRC. While
there is no such thing as a "turnkey
compliance program," using a unified
software platform for IT GRC can improve the
success of information-assurance efforts.
The information-assurance program, however,
should drive the IT GRC software, not the
other way around.
Risk-based decision
making. Identifying and measuring risk to
information and other assets is a core
function of information assurance.
Determining risk can be done in different
ways, but generally involves, at a minimum:
asset documentation, threat identification
and risk metrics. If using multiple point
solutions to manage IT GRC, ensure these
tools are flexible enough to support
multiple definitions of risk.
Communicate first. IT GRC
is a business process. To ensure success,
executive buy-in is particularly critical;
C-level executives can often break down
barriers that might exist in the
organization, establishing authority and
circumventing turf wars and other political
constraints that might otherwise hinder the
program.
To support effective
communications, IT GRC software platforms
should provide the ability for different
categories of users–IT operations, security
operations, risk managers, auditors and
C-level executives–to view risk and
compliance data in a way that is relevant to
them, while providing a way to gain access
control to ensure appropriate separation of
duty across constituents.
Establish measurement and
reporting baselines. While maintaining a
communications framework for IT GRC
activities is critical, just as important is
ensuring what is communicated is accurate
and consistent across the enterprise. An IT
GRC program should use consistent
measurements and metrics to ensure that one
group’s view of risk and compliance (e.g.,
IT operations) is consistent with another’s
(e.g., IT audit).
As the regulatory
landscape for information security and
privacy becomes increasingly complex,
organizations should address a broad range
of new compliance requirements, including
business partner agreements, internal SLAs,
changing technologies and continuously
emerging threats. An IT GRC program can
identify the overlap and ambiguity between
compliance requirements, establish a
centralized set of business processes and
tools to address compliance, and allow
appropriate stakeholders to identify and
address the organization’s security and
privacy posture using consistent
measurements and metrics.
John Linkous is the IT governance, risk and compliance evangelist for
eIQnetworks, Acton, Mass.
For more information
(click here)