Compliance Policy Development: Do's And Don'ts

Compliance fatigue can afflict just about any enterprise facing the growing list of regulatory requirements placing pressuring on its security practices. Sometimes it might seem that there is just not enough money or time to keep up. But governance, risk, and compliance (GRC) experts believe that the key to bringing things into equilibrium is a solid foundation set by unified policies that can guide security standards and procedures to both minimize risk and comply with regulations now and in the future.

Unfortunately, many organizations today fail to do a good job establishing effective policies. Dark Reading recently talked to some experts in the industry, who offered some helpful tips on what organizations should and shouldn't be doing when developing their security and compliance policies.

-- Don't get bogged down in individual regulations. "Organizations today have numerous government and industry-specific regulations that they need to be mindful of," said Andres Kohn, VP of technology at Proofpoint. "The evolving regulatory environment becomes even more complicated due to multi-regulation and cross-border regulations."

Not to mention Gartner's predicting that by 2014, 70% of IT risk and security officers in Global 2000 organizations will be required to report annually to the board of directors on the state of security, Kohn said. He believes that with so many individual requirements it can be easy to get mired in the details.

"Don't be bogged down by specific regulations," he said, warning that creating policies off-the-cuff to fit specific regulatory mandates can lead to trouble. It makes more sense to develop a policy framework that can be managed and adjusted upon as required by all risk considerations, including new mandates.

-- Do let risk lead policy decisions. No matter what industry you're in, Rick Doten, vice president of cyber security for DMI, says it is important to always remember security's number one motivator: cyber security is all about managing risk. So let risk considerations lead policy decisions and then map compliance reporting to that, not vice versa.

"For instance, regulatory compliance is considered one of the primary business risks for industries such as the energy utilities. The National Energy Regulatory Commission (NERC) can fine a company up to $1 million a day for non-compliance," Doten says. "Others, such as the large financial institutions, have dozens of regulations they need to follow. They focus on building a security program where controls are appropriate to protect the business, and consider regulatory compliance as merely a reporting exercise to show how their controls map to meet the regulatory criteria."

Read the rest of this article on Dark Reading.

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)