Compliance Policy Development: Do's And Don'ts - InformationWeek
IoT
IoT
Healthcare // Analytics
News
4/24/2012
12:43 PM
50%
50%

Compliance Policy Development: Do's And Don'ts

Consider this advice to make sure your governance and compliance policies are written wisely.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Compliance fatigue can afflict just about any enterprise facing the growing list of regulatory requirements placing pressuring on its security practices. Sometimes it might seem that there is just not enough money or time to keep up. But governance, risk, and compliance (GRC) experts believe that the key to bringing things into equilibrium is a solid foundation set by unified policies that can guide security standards and procedures to both minimize risk and comply with regulations now and in the future.

Unfortunately, many organizations today fail to do a good job establishing effective policies. Dark Reading recently talked to some experts in the industry, who offered some helpful tips on what organizations should and shouldn't be doing when developing their security and compliance policies.

-- Don't get bogged down in individual regulations. "Organizations today have numerous government and industry-specific regulations that they need to be mindful of," said Andres Kohn, VP of technology at Proofpoint. "The evolving regulatory environment becomes even more complicated due to multi-regulation and cross-border regulations."

Not to mention Gartner's predicting that by 2014, 70% of IT risk and security officers in Global 2000 organizations will be required to report annually to the board of directors on the state of security, Kohn said. He believes that with so many individual requirements it can be easy to get mired in the details.

"Don't be bogged down by specific regulations," he said, warning that creating policies off-the-cuff to fit specific regulatory mandates can lead to trouble. It makes more sense to develop a policy framework that can be managed and adjusted upon as required by all risk considerations, including new mandates.

-- Do let risk lead policy decisions. No matter what industry you're in, Rick Doten, vice president of cyber security for DMI, says it is important to always remember security's number one motivator: cyber security is all about managing risk. So let risk considerations lead policy decisions and then map compliance reporting to that, not vice versa.

"For instance, regulatory compliance is considered one of the primary business risks for industries such as the energy utilities. The National Energy Regulatory Commission (NERC) can fine a company up to $1 million a day for non-compliance," Doten says. "Others, such as the large financial institutions, have dozens of regulations they need to follow. They focus on building a security program where controls are appropriate to protect the business, and consider regulatory compliance as merely a reporting exercise to show how their controls map to meet the regulatory criteria."

Read the rest of this article on Dark Reading.

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll