IntroductionCompliance Management has become an ever-increasing part of everyday business life. Just about every kind of business is subject to requirements from external parties. This includes security management, quality management, environmental management, and financial frameworks such as the Sarbanes-Oxley act. These are all areas where one wants to change the whole organization's behaviour, and make sure that the compliance requirements are met in an all-compassing way and in the most cost-efficient manner possible.
What parties compose such requirement frameworks?
- Lawmakers – creating compliance framworks such as the Sarbanes-Oxley Act and the Basel requirements.
- Business sectors – the payment card brands have created PCI DSS as an initiative to combat fraud.
- Standardization organizations - creating standards for governance of areas such as information security, quality and environmental protection.
But that's not where the challenge is. If things were so simple that a document could be written, and everybody implemented its requirements, there would be no information security issues anywhere today.
The challenge faced by both companies and governmental organization face today is not about finding what requirements to apply. The issue is: there are few rational and cost-efficient methods and tools available to measuring the performance, compliance-wise, of the organization:
"If you can't measure it, you can't govern it".
Cybercom's methods for compliance management are built on three governing principles.
Don't Get Stuck in Documentation
Information security governance is the prime example where this principle is commonly violated. When an organization decdes to implement a security management framework, the projects are often implemented "top down". Policies are written, meetings are held, committees appointed, checklists are created, and reporting formats are defined.
But there are far too many examples of security work degenerating to become mere documentation exercises. The practical hands-on security work should of course always outweigh the documentation efforts.
A Decentralized Approach is Necessary Today
A Cybercom penetration test expert once said that the probability of him succeeding with a penetration test depends much on the network manager's interest in IT security, and little on the formal correctness of the IT governance framework (ITIL, ISO2700, etc). One of the reasons that security frameworks fail is that they often focus more on the issuer of the documentation (formal correctness) and less on the recipient of the documentation.
Today, more and more organizations decide to decentralize the responsibility for IS/IT security. If you are in charge of a web site, you're responsible for its security. If you are in charge of a subsidiary, you're in charge of its security. Security responsibility follows other responsibilities.
But this means that the security methods need to be easy to understand, and easy to start working with. People need to know right away where to start and what to do. They need to be given their own security process to follow, and this means that the security officer will have dozens - or hundreds - of security processes running simultaneously in the organization.
Efficient Tools are Neccessary
Economists have ERP systems. Supply chain management professionals have supply chain systems. Systems make it easier to work, to know what to do next, and the work being done on the local level can be consolidated to create a full picture of the status of the organization.
In the IS/IT security line of business, people use the MS Office package, and send e-mails. But if MS Excel is used for requirements, or for status reports, then one will run into tremendous problems if new requirements are added, changed or deleted.
The solution is to use interactive online solutions for security management. This can be used to distribute individually tailor-made selections of security requirements to exactly the right recipients. If the recipient of a security requirement doesn't find a system to be compliant to a requirement, then this can easily be reported with a single mouse click. Scorecards are automatically consolidated on a central level, creating immediate visual feedback on risk, compliance, and actions aimed to remediate insecure systems or other control deficiencies.