Over the past 5 years, the need for regulatory compliance has made a difference in the role of the security officer. Arguably security managers must now be equipped with more than simply being able to configure firewalls or set security policies - they must also be minimally comversant, if not completely knowledgeable about regulatory compliance.

Not all reg compliance is created equal and there are several to be aware of depending on the industry segment your company may play in. HIPAA, FISMA, SOX, GLBA... they all call for involvement from IT security. However, my observation is that they share one thing in common - the lack of definition on what is expected from an IT security perspective. Hence, many security managers are left on their own to figure out "where to go from here" when it comes to compliance.

Take SOX as an example - there are a couple of components of the SOX regs that speak to involvement from IT, namely SOX 404 and SOX 802. In particular, SOX 404 has specific implications to the security manager since it involves ensuring proper internal controls over financial reporting. Yet, the nature of that internal control and how it intersects with IT security isn't always well defined. The net result is that security managers are left to interpret that for themselves often without the benefit of experience.

Just a few tips garnered from several articles and experts -

1. Read the reg. If you're seeking to comply with SOX 404, then it might be a good idea to read the reg for yourself

2. The compliance auditor is your new best friend. What makes compliance challenging is that it's not just about auditing the controls or process which the compliance auditor is familiar with...nor is it simply about IT security which is the domain of the security officer...but in fact, it bridges both.

3. It's not about the technology. If anything, it's more about processes and policies...and making users aware of what those are.

4. Conform to industry security standards. The application of standards is a good thing since they are well published. The more you use proprietary standards, the greater level of time consuming audit is required.

5. Finally, security industry groups such as ISACA (Information Systems Audit and Control Association) are leading the way in defining the IT security requirements for compliance. There are a couple of good resources out there but one notable resource is CoBIT. CoBIT (Control Objectives for Information and related Technology) is produced out of a joint effort by ISACA and IT Governance Institute. It is meant to provide guidelines for addressing the IT governance model for SOX. For more informantion, refer to:
www.isaca.org/cobit.htm

Compliance of any kind is challenging because it bridges the worlds of auditing and IT security. The security officer of today must be comfortable and conversant in both worlds in order to be successful. Benign ignorance is simply not an option anymore.

Posted by andreyee in Compliance | Permalink | Comments (0) | TrackBacks (0)

I'm planning to launch into a short series of posts on the topic of compliance and I wanted to kick it off with this article from Marcia Savage from Information Security Magazine. It's about the sometimes strained relationship between security professionals and their counterparts on the compliance side, the compliance auditors.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1194877,00.html

It's not a matter of who's in the drivers seat - compliance or security? The reality is that this relationship isn't going away, folks. Regulatory compliance is here to stay and in an increasingly digital world, it will involve cooperation and influence from information security professionals in order for corporations to comply with these regs.

By the way, if you have any experiences related to getting your organizations to comply with regs that involve information security, I'd love to hear about it.

Posted by andreyee in Compliance | Permalink | Comments (0) | TrackBacks (0)