Home > Uncategorized > Compliance: It’s Here to Stay, No Matter Whether or Not You Like It

Compliance: It’s Here to Stay, No Matter Whether or Not You Like It

The word “compliance” has developed a meaning and significance of its own in the IT sector, the IT security part of this sector very much included. A variety of new regulations has surfaced over the last decade; many of these regulations’ provisions in some way involve information security. For example, Sarbanes-Oxley (SoX) section 404 requires continuous real-time monitoring of assets that contribute to the profit-loss status of a publicly-held corporation in the US.

Whereas information security professionals have traditionally viewed security-related risk in terms of confidentiality, integrity and availability, the many regulations that to some degree involve information security have forced information security professionals as well as senior-level management to embrace the concept of compliance-related risk. Failure to comply can produce far worse outcomes than can some of the most egregious security-related incidents, not only in terms of fines, sanctions, and even jail terms for senior management, but also in terms of negative public perception.

In theory, complying with information security compliance regulations should be neither conceptually difficult, nor should an organization have to expend a consider amount of resources to do this. In reality, however, the dead opposite has generally been true. One of the major obstacles to achieving information security compliance is ambiguity in interpretation the requirements of each provision within each regulation. Additionally, the sheer number of regulations—the European Union Privacy Directive, ISO 27001, SoX, Gramm-Leach-Bliley, HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), FISMA (Federal Information Systems Management Act), Basel II, and others, have made compliance a major headache for a large number of organizations.

From a pure information security perspective, compliance is a two-edged sword. Without it, organizations with deficient security practices are too often content with the status quo. At the same time, however, compliance does not necessarily produce adequate security. The best example is FISMA compliance in which an organization with an exceptionally poor security control posture can pass FISMA audits with flying colors simply because it has produced a large amount of documentation.

All things considered, compliance requirements have served to boost the security control postures of organizations for several reasons. First and foremost, because these requirements generally involve information security, senior management has tended to get information security professionals involved in compliance-related issues, thereby elevating the value, status and credibility of information security. Second, the need for information security-related compliance has provided information security groups with resources that almost certainly would not otherwise have been available. Third, organizations have been forced to deal with security issues such as adequate access controls for access to financial information and adequate monitoring processes that might otherwise have been overlooked.

If anything, expect an increasing number of information security-related compliance requirements in the future. Tolerating poor security controls postures that lead to a plethora of security-related incidents is no longer feasible. The number and severity of security threats are growing at an astronomical rate, resulting in escalating risk with huge potentially negatively impacts upon the public as well as stockholders. So compliance is here to stay, no matter whether or not you or anyone else likes it. The only reasonable response is to deal with it as one of the many types of risks that must be mitigated.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.