Many a times we encounter situations where we find that certain Information Security Policy requirements and considerations are not in line with the Global Security Best Practices and they actually are not in-line with the Global Standards to that effect. But, the major mistake that we make at such a point is to take into considerations the Business Requirements for that organization or for those who actually are the recipient of the overall results on those Business Requirements.
The issues are overwhelming for the Risk and Compliance Manager across the world as they try to bridge the gap between the Auditor's Expectation with the Real World Scenarios with all the practicalities. This doesn't mean that Auditor's Expectations are not practical or not something that need not be entertained per say. What is more important for the Risk and Compliance Managers as well as the Business Managers is to ensure that these expectations are well understood so that it would be easier to meet them by remediating the open issues.
More often than not Auditors as well as Risk & Compliance Managers are often misunderstood and seen as a "Red Flag Bearers" by the Business & Technology Managers. Though this perception can't be justified, but then they have their own reasons as they have to run the show. There are many a times when Business as well as Technology Managers have to take quick decisions and at times they circumvent / bypass some critical security / compliance considerations to ensure that the "Show has to Go on."
However, though they say everything needs to be done to ensure that the Business as Usual must prevail, there are some checks and balances that must be applied and Compliance Considerations must be brought to the every day work life. Though I had maintained for long that "what is compliant" is not always secure (for if it were secure we would not have as many breaches as we hear), I still maintain that Compliance provides for the baseline controls we must have in place. How we convert them from Compliance Controls to Security Controls depends on how Security Focused we are.
The Compliance Considerations that I prefer Organizations should keep up to are -
The issues are overwhelming for the Risk and Compliance Manager across the world as they try to bridge the gap between the Auditor's Expectation with the Real World Scenarios with all the practicalities. This doesn't mean that Auditor's Expectations are not practical or not something that need not be entertained per say. What is more important for the Risk and Compliance Managers as well as the Business Managers is to ensure that these expectations are well understood so that it would be easier to meet them by remediating the open issues.
More often than not Auditors as well as Risk & Compliance Managers are often misunderstood and seen as a "Red Flag Bearers" by the Business & Technology Managers. Though this perception can't be justified, but then they have their own reasons as they have to run the show. There are many a times when Business as well as Technology Managers have to take quick decisions and at times they circumvent / bypass some critical security / compliance considerations to ensure that the "Show has to Go on."
However, though they say everything needs to be done to ensure that the Business as Usual must prevail, there are some checks and balances that must be applied and Compliance Considerations must be brought to the every day work life. Though I had maintained for long that "what is compliant" is not always secure (for if it were secure we would not have as many breaches as we hear), I still maintain that Compliance provides for the baseline controls we must have in place. How we convert them from Compliance Controls to Security Controls depends on how Security Focused we are.
The Compliance Considerations that I prefer Organizations should keep up to are -
- Following defined processes and procedures
- Documenting what is being done - meetings, notifications, trainings, approvals etc.
- Documenting the changes being introduced
- Resolving issues with Long Term strategies than short term remediations
- Following Risk Based Approach
- Adopting Return on Investment from Technology (ROIT) adoption rather than resorting to Cost & Benefit Analysis (CBA) - This would always prove to be profitable approach in longer term
- Unified Compliance Approach rather than Project base Compliance Approach working in Silos - This would always help reduce duplication / redundancy in controls being managed and technology being deployed. There always is an overlap of requirements across various Industry standards and regulations impacting compliance posture of any organization
- Drive Enterprise-wide Compliance efforts rather than Business Segment Silos
There are few others that may be considered, but the basics of Compliance Management would seek solace in the ones mentioned above.
No comments:
Post a Comment