It's hard --but not impossible--to implement a flexible, comprehensive security management program that anticipates future regulatory and compliance mandates.

Legislators are reacting to news of the ChoicePoint data warehousing debacle that lost control of 145,000 private customer records, by proposing to expand the "notification of risk to personal data" provisions found in California 1386 nationwide. This would add one more to the already daunting listing of regulations burdening the industry.

There is no reason why every time a new regulation looms on the horizon we should get a stomach full of butterflies. Regulatory mandates are usually nothing more than a tentative attempt to impose common sense on professionals who already know what needs to be done. All organizations have in place a controls framework--whether informal or formal--that provides the infrastructure for business work to be achieved. Those that are poorly organized result in poor business--and few companies can survive for long using that model. So, we can say with confidence that most companies have some kind of working controls infrastructure that maintains the logic of common sense business practice well enough to produce goods and services worthy of sale to consumers.

Regulatory mandates do nothing more than focus our attention on those parts of our already existing frameworks that might need to be working better. With that in mind, you can investigate the myriad security standards and best practices out there and ultimately boil them down into a set of common sense principles that always fall back on what we instinctively know is the right way to do anything: Plan, Do, Check, Act. As these 4 sound process steps are embedded in every best practice articulation, we should be able to map equivalencies between standards and process frameworks to new legislation, thereby determining whether or not what we are already doing is meeting regulatory expectations.

Some organizations are already engaged in this work. The IT Governance Institute's Information Systems Audit and Control Association (ISACA) recently mapped equivalencies between ISO/17799 and its Control Objectives for IT (CobiT) framework. They claim 78% coverage. In other words, if the controls framework you use in your environment is CobiT, and you are using it comprehensively and properly, then you already comply 78% with ISO/IEC 17799 Code of Practice for Security Management. All you have to do to fully comply with ISO/IEC 17799 is to implement the other 22% of the standard--roughly 57 security practices most often overlooked by companies.

Although high level, most auditors agree that ISO 17799 is a sound standard that if implemeted thoroughly and smartly, will meet the requirements of most IT governance process audits. Admittedly, ISACA probably took a liberal view in mapping to ISO/IEC 17799 to make CobiT come up looking good, so I wouldn't eliminate requirements without deeper investigation. But such mappings can help prioritize security improvement goals, by focusing you on only addressing those relevant requirements that you are likely not to be covering. 

Executing internal controls mapping also provides powerful documentation for audits. Showing that you have a methodology for equivalency mappng in place proves due care, and the documentation that results proves due diligence to external auditors that must be convinced that you are serious about addressing security mandates.

(c) 2005  Bar Biszick-Lockwood/QualityIT

More Regulations & Compliance

Home