Compliance has emerged as a key issue within the modern workplace. Businesses are compelled to prove the credibility and success of policies and procedures and this process takes on a new meaning when focused on IT security, writes Christo van Staden, directory at Carrick Holdings.
Requirements for compliance are reflected in what is commonly referred to as a Control Framework, which is a hierarchical structure of frameworks, policies, regulations and technical standards.
Since most regulations are vague about IT requirements; frameworks are often referred to as a guideline for compliance. However, most frameworks only make broad recommendations such as suggesting strong passwords. Standards fill this gap by providing a more specific set of checks.
As an example the Centre for Internet Security benchmarks specifically recommend minimum characters and complexity of passwords that can provide a quantified level of baseline security.
The challenge that organizations face with regulations is the significant cost associated with testing and remediation of such IT policies & best practices. There are three real requirements or challenges:
* The ability to navigate through all of the legislation, policy and standards;
* Mapping the various standards against each other e.g. over lap between CISP, Sox, ISO; and
* To actually do the checks.
While requirements differ from one organization to another, it is essential that any business entity demonstrate a thorough understanding of what it has to comply with.
As such, it is prudent to familiarise oneself with each facet of information and its relevance:
* Policies – reflects a mandate from the board of directors, custodians and/or systems owners and pertains to how the organisation prefers to conduct business;
* Regulations – reflects a set of rules dictated upon the organisation on how they should do business either by industry or by a governing body within the organization or company’s area of business. HIPAA, GLBA, FISMA, BASEL, SOX (Sarbanes Oxley) are examples.
* Frameworks – reflects as the framework of organised information and regarded as the best practice of conducting processes, procedure and auditing guideline. ITIL, CoBit and the ISO 27001 standard are good examples of this.
* Standards – This is a benchmark of rules against which an organisation can check itself and measure its rules. Examples of this are CIS and SANS.
Over time both industry and auditor have arrived at the point where both concede that the only way of actually doing these checks is to extract a set of control objectives from the various frameworks, standards, regulations as well as the relevant organisational policies.
Enforcement is then reflected in a solution, either process-, people- or technology-based, which is then proven by measuring compliance and whether these are adhered to by the third party.
The fact is that data remains the most prized asset within a company and the security-focused digital workplace is regulated by laws that have been passed to encourage a proactive and more responsible approach to information management.
Against the backdrop of an increase in white-collar crime and scandals involving large global traders, it has become mandatory for businesses to review their security policies and procedures.
As such, multiple laws have an influence within the greater sense of IT security.
This legislation includes the Electronic & Communications and Transactions Act, applicable to all listed and government entities. The Privacy and Access to Information’s Act (PAIA), Regulation of Interception of Communications & Provision of Communication-related Information Act are also considered influential.
Aside from more impetus on entrenching security policy, education and awareness of technology, solutions and best practices in the workplace, businesses are obliged to comply with legal criteria governing information management, archiving and dissemination.
What is the approach from business towards the issue of compliance?
This has changed significantly over recent years. For the most part decision-makers have come to realize that compliance has been put in place to assist rather than inhibit.
However there are businesses and organisations that still see the ‘third party or ‘governing body’ as a hindrance to overall process and conduct.
Technology certainly levels out the playing field. Products that address IT security compliance issues have been around for some time, but it is only in the last eighteen months or so that the market has begun to seriously acquire and integrate solutions.
These solutions have grown and matured to such an extent that controls can be mapped and measured against dynamically on information systems. Historically, this is the area where the compliance measurement would take up 80% of both the third party and the organizations effort and time for measurement.
Over and above the measurement of compliance various controls can be enforced with automated technology solutions such as anti-virus, intrusion prevention, incident management, identity management and firewalls.
It is difficult to identify the real cost of compliance. The challenge is to identify, with certainty, the costs amid the proliferation of regulation, controls and enforcement.
In our experience we found that the key challenge lies with the actual know-how involved in mapping and implementing various controls. The end result could be a self-measurable framework oppose to relying on a third party auditor for measurement.
The main consideration for decision makers is compliance is obligatory for continued operation and trade. Security is a central component and has to be reviewed, managed and directed with a proactive, meticulous approach.