Compliance: Like It Or Not, It’s Here To Stay
The word “compliance” has developed a meaning and significance of its own in the IT sector, the IT security part of this sector very much included. A variety of new regulations has surfaced over the last decade; many of these regulations’ provisions in some way involve information security. For example, Sarbanes-Oxley (SoX) section 404 requires continuous real-time monitoring of assets that contribute to the profit-loss status of a publicly-held corporation in the US.
Whereas information security professionals have traditionally viewed security-related risk in terms of confidentiality, integrity and availability, the many regulations that to some degree involve information security have forced information security professionals as well as senior-level management to embrace the concept of compliance-related risk. Failure to comply can produce far worse outcomes than can some of the most egregious security-related incidents, not only in terms of fines, sanctions, and even jail terms for senior management, but also in terms of negative public perception.
In theory, complying with information security compliance regulations should be neither conceptually difficult, nor should an organization have to expend a consider amount of resources to do this. In reality, however, the dead opposite has generally been true. One of the major obstacles to achieving information security compliance is ambiguity in interpretation the requirements of each provision within each regulation. Additionally, the sheer number of regulations—the European Union Privacy Directive, ISO 27001, SoX, Gramm-Leach-Bliley, HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), FISMA (Federal Information Systems Management Act), Basel II, and others, have made compliance a major headache for a large number of organizations.
From a pure information security perspective, compliance is a two-edged sword. Without it, organizations with deficient security practices are too often content with the status quo. At the same time, however, compliance does not necessarily produce adequate security. The best example is FISMA compliance in which an organization with an exceptionally poor security control posture can pass FISMA audits with flying colors simply because it has produced a large amount of documentation.
All things considered, compliance requirements have served to boost the security control postures of organizations for several reasons. First and foremost, because these requirements generally involve information security, senior management has tended to get information security professionals involved in compliance-related issues, thereby elevating the value, status and credibility of information security. Second, the need for information security-related compliance has provided information security groups with resources that almost certainly would not otherwise have been available. Third, organizations have been forced to deal with security issues such as adequate access controls for access to financial information and adequate monitoring processes that might otherwise have been overlooked.
If anything, expect an increasing number of information security-related compliance requirements in the future. Tolerating poor security controls postures that lead to a plethora of security-related incidents is no longer feasible. The number and severity of security threats are growing at an astronomical rate, resulting in escalating risk with huge potentially negatively impacts upon the public as well as stockholders. So compliance is here to stay, no matter whether or not you or anyone else likes it. The only reasonable response is to deal with it as one of the many types of risks that must be mitigated.
October 22nd, 2007 at 1:38 pm
Hi Gene
Compliance with FISMA is a misnomer–it doesn’t translate into public sector very well. It’s usually because a “civilian” compliance framework is fairly specific.
FISMA’s (aka, the law’s) requirements are very high-level, requiring the following:
Periodic risk assessments
Policies and procedures
Security plans
Security awareness training
Periodic testing & evaluation
Remediation activities
Incident response capabilities
Continuity of operations
The rest is just implementation details. But the more people start spewing off such nonsense as “FISMA Compliance”, the harder it is for those of us who are clueful to get the job done. The true failing of FISMA is that most of the people doing it don’t know what they’re really doing.
http://www.guerilla-ciso.com/archives/150