February 11, 2006

One of the areas I seem to be spending a lot of time helping clients lately is handling the broad topic of compliance. Now some of you might be shuddering at mere mention of the word “compliance” (or perhaps you have a different emotion). However, I’m not in that camp, because the compliance efforts I have been part of have really been designed to improve security – and reduce costs (over time). I think that using compliance as a driver is really an opportunity that we, as security professionals, have to seize to prove that security can be a strong benefit to an organization.

Here are some of the lessons I have learned (thus far) that may help you in your efforts:

1. We need to make sure we avoid white washing our compliance efforts. I have seen more than a handful of organizations go from 30% compliant to 90% compliant in week – because they simply checked a box on a form (but didn’t actually do the work)!

As the crunch of deadlines looms closer, some organizations have a mandate to show progress… which is sometimes misrepresented. The problem with this approach is that it leads to a false sense of security and may even land you in some trouble in the future. As a security professional, it is our duty to make sure we help to protect our organizations and avoid whitewashing over compliance directives.

2. Practice diligent risk management. Institute a good framework for risk management — which requires you to stop and think! To be effective, you have to take the time for assessment, then seek to understand your risk and take appropriate action.

3. Focus on asset-based risk assessment. As part of your risk management plan, I encourage you to expand beyond technology-only assessments and get engaged in the organization to uncover the true assets. Once you understand your business, you will be in a better position to take action.

What I especially like about taking an asset-based approach is the transformation that is likely in your colleagues. By involving the entire team in the process, everyone begins to understand the assets of the organization and the related risks in a more complete way. In the end, this leads to an organization that is better protected.

There is little need to reinvent the wheel these days. Here are some of the frameworks I have used to help me in these projects:

OCTAVE: http://www.cert.org/octave/

FIPS-199: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

NIST 800-30: Risk Management Guide for Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

If you have something different you use, please send me an email and I’ll add it to the list!

*** If you would like more updates and insights like this, please consider joining the security insider mailing list ***

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.