Through the years I've had to opportunity to help many organizations with their regulatory compliance programs. It's been very enlightening to see the approach each organization has taken in their effort to become "compliant". Many of the differences have been explained by quoting the industry profile or size of an organization. Other times it's the budget or process maturity that has defined their process or lack thereof. Each time I have challenged the business leaders with this thought. Compliance is not a technology problem, it's a business problem.
Over the next few postings I'll attempt to provide some practical advice for how to approach the complex issues of implementing information security in an effort to meet compliance "mandates".
TIP #1: Do a risk assessment…
So many times we look to technology to solve our problems. This harkens back to the early days of IT integration into the business process. Back when technology could be applied to most processes and the efficiency gained would be off the charts. There wasn't a lot of thinking or justification needed for those projects. You just knew if they came in on time and on (or close) to budget you'd have a winner.
We've moved into a new age though and our thinking must transition with it. Gone are the days of all technology projects being a plus for the organization. We really need to identify which projects are worth the time, effort and expense.
Compliance is no different. Most of the regulatory environments your organization will fall under, SOX, HIPAA, FISMA, GLBA, etc., are not specific in how you meet the requirements. One thing they do however require is a risk assessment.
The underlying principle of each of these regulations is the reduction of risk. Notice I said the "reduction" or risk and not "elimination" of risk. When talking about business you've often heard the phrase "No risk…no reward" right? If you eliminate all of your business risk and can still make tons of money wouldn't everyone do what you do? Where's the market in that? What we really want to do is reduce our risk to acceptable levels. From a business perspective we do this every day when deciding to open in new markets, launch new products, etc. We weigh the risk to the organization and determine if the risk is worth the reward. In the same vein then, if you could reduce your risk significantly with little impact to your operations and budget you'd be crazy not to.
Information security must be approached the same way. Don't put in firewalls, email encryption or costly intrusion detection systems because everyone else is or you think you're required to. Assess the inherent risk to your organization without those controls and compare that to the residual risk which would exist after implementing them and see which one you'd rather live with. Why spend $10,000 to replace something which can be replaced for $1,000. Some things though are harder to quantify such as reputation. It becomes much more complex to put a price on these items.
Now this isn't a license to be negligent and not do anything but there's certainly a difference between a $500,000 intrusion prevention system and a $50,000 intrusion detection system. Both might satisfy your compliance needs. Only after doing a risk assessment can you determine the level of risk your organization is willing to live with. Risk assessments will help your organization build a profile for risk tolerance and help you prioritize your investments in security.
Many times external consultants are better at leading these discussions as they can bring an objective viewpoint to your process, especially if this is the first time an assessment is being performed. Pick your assessors wisely though and make sure they want to take the time to understand your company, it's culture and how it makes (or looses) money. While there are best practices to follow, a cookie approach will only take you so far.
Next up…Information Security Policy: The Love-Hate Relationship