Businesses of all sizes not only face increasing security threats, but also greater regulatory compliance requirements. Here are some strategies to help find a balance between Security and Compliance and align your information security activities with your industry/regulatory compliance requirements.
Security and Compliance
Despite considerable efforts within the information security industry, many business leaders still hold to the mistaken idea that information security and industry/regulatory compliance are equivalent. In other words, many feel that if their organizations are evaluated as compliant to some standard or framework, then they must by definition be secure.
There are several reasons why this is not automatically true, the most relevant of which is the following: Compliance tends to focus on a point in time, while an organization’s information security posture is ongoing / fluid / dynamic, changing as equipment, configuration, personnel, threats, risks and opportunities change.
For example: When police perform random spot checks for drunk drivers on a section of a busy street, they cannot guarantee that they will find or encounter every impaired driver. There is simply no way for random road-side checking to catch every single drunk driver in town. Such is the nature of spot checking.
Security and compliance are certainly complementary activities, but they are not equivalent. It is possible to implement reasonable security measures in a way that is not compliant with any standard or framework. It is also possible to be compliant with one or more compliance standards, yet fail to achieve any reasonable measure of information or physical security – and this is all too often the case, as evidenced by the major breaches of retail organizations which had achieved PCI compliance.
Since so many organizations find themselves needing to attain both Security and Compliance, let’s look at some ways of achieving both as cost-effectively as possible.
Let’s start with the following observations:
- Information Security is largely focused on preventing those activities or access that which should not occur, while allowing those which should occur.
- Compliance is focused on documenting – or otherwise proving – that various requirements or objectives have been attained.
With these two very basic observations in mind, let’s consider some approaches to balancing their needs:
- Select from multiple compliance frameworks
- Understand the spirit of the requirements and security controls
- Tailor the controls to your business needs
- Monitor and document your activities
1. Select from multiple compliance frameworks
To a great extent, the location of your organization and the jurisdictions in which it conducts business, will dictate what security standards and compliance frameworks you will need to focus on. In the US, the NIST guidelines are the basis for many security and compliance programs. In Europe and the international community, there is much more focus on the ISO standards. There is also the CoBIT framework, which is quite comprehensive.
Even if you are only conducting business in a single jurisdiction today, it can be very helpful to look at multiple compliance frameworks as a foundation for your organization’s security program. Pay special attention to the way those controls are measured and monitored. Also look at baseline requirements, and if possible, select the most stringent one, which would make your organization automatically compliant with the selected standards.
2. Understand the spirit of the requirements and security controls
Yes, reading security controls can be very tedious business. However, it is important to do so, because the goal is not simply to accomplish just what is asked, but to understand how the compliance requirements map back to actual security objectives.
Wherever possible, make sure that the controls you apply actually achieve a security benefit for your business. Using more than one framework can be helpful in understanding or deriving the security benefit of a control or a set of controls, hence recommendation #1.
3. Tailor the controls to your business needs
Security controls cannot be one size fits all. Every organization does not have the same kind of staffing or the same business objectives or the same resources, so there needs to be some level of customization of the security controls to fit your organization. No, you cannot just do whatever you want, but there is often a fair amount of latitude to how you apply a control.
Is your organization large enough that it can afford to dedicate totally different personnel to every functions? If yes, then great. If not, then having clear documentation on hand as to who handles what, and under what circumstances, will go a long way toward showing your compliance in areas that call for segregation of duties, for instance.
Likewise, the tools used to document your processes can be as simple as your organization’s existing incident management application, or as complex as a full-fledged document management application.
Another area of focus is policies and procedures. These should be basic enough that they can be easily maintained and understood, yet comprehensive enough that they actually provide a benefit to the business, and are accepted by auditors. For good compliance, each of your policies should be covered in a procedure document. It does not have to be a one-for-one document relationship, but the policies – which represent objectives – should map back to actual procedures – which represent the activities that accomplish those objectives.
4. Monitor and document your activities
Documentation is a key element of compliance. Anyone can *say* they are doing something, or that their organization holds to certain standards or beliefs or objectives. It is your documentation that proves that you are in line with what you claim.
Likewise, you can configure your security devices to do all sorts of things, but if you do not enable any monitoring, you cannot be sure that they are working as intended, or that there aren’t other/new things that are occurring in your environment which are pertinent to your overall security posture.
An organization that has modest compliance objectives, yet clearly documents their adherence to their stated standards and objectives, will be viewed more favorably by auditors than one which aspires to grand and elaborate objectives, but is not able to show (or easily show) compliance with their policies – even if those policy documents are quite comprehensive.
If it’s not documented, then it’s not really happening.
Take the time now to put some effort into aligning your compliance and security objectives. This will make your organization more flexible as it finds itself subject to new compliance requirements, and it will make it easier to adjust or enhance your activities to support these objectives. And it will aid your organization in adjusting to new threats as well.
If done well, it can be the proverbial win-win situation.