In today’s global economy, business organizations are required to comply with regulations from many countries by virtue of their global presence and/or their serving of customers outside of their country of operations. Some regulations impact them directly, while many others impact them as expectations from customers. For example, a business organization operating from a country and serving a customer in a different country must comply with the relevant laws and regulations of both countries. With stringent penalties for noncompliance, customers are increasingly making their compliance expectations explicit in their contracts. Many laws and regulations have important implications on information security controls and thereby make the security compliance program a priority for an organization. This article discusses an approach to set up an effective security compliance program that can result in long-term competitive business advantage.
Base the Security Compliance Program on a Framework
The number of regulations with which businesses must comply is already significant and is only increasing. Businesses will benefit from recognizing the commonalities of the many regulations, setting up security controls that fulfill a number of regulations and approaching the effort in a systematic manner through the use of a framework. Examples of popular frameworks/standards are the framework of Committee for the Sponsoring Organizations of the Treadway Commission (COSO) (which emphasizes overall internal controls), the International Organization for Standardization (ISO) ISO 17799 (which emphasizes information security), the IT Infrastructure Library (ITIL) framework (which emphasizes IT service practices) and Control Objectives for Information and related Technology (COBIT) (which emphasizes IT governance). Organizations that have already adopted standards and frameworks such as ISO 9001 and the Software Engineering Institute’s Capability Maturity Model Integration (CMMI) should use the existing controls as much as possible and enhance the controls, where necessary, as they set up new systems. Based on business priorities, an organization may select a single framework or multiple frameworks, or even set up a custom framework derived from these frameworks.
There are many strategic advantages of this frameworkbased approach:
- Frameworks provide a structured approach to the solution as follows:
- Framework-based approaches consider security requirements for the regulatory compliance requirements among the key inputs for setting up the information security management system (ISMS). Such an approach usually requires mapping the regulatory requirements to the controls in the framework and then implementing the ISMS incorporating the controls. This approach also enables due consideration to be given to other requirements, such as customer requirements, internal business requirements and industry norms.
- A framework provides structure and stability, and implementation of a framework generally results in greater levels of process orientation within the organization and leads to many operational benefits.
- Most common methodologies of implementation of ISMS using a framework emphasize the extensive involvement of all the stakeholders and invariably stress management commitment and support, which are critical for success.
- A framework-based approach usually facilitates the systematic setup of a continuous improvement process accommodating changes in regulations and incorporating new regulations as they become applicable.
- Many frameworks have associated standards and/or certification (e.g., ISO 27001 with ISO 17799 or ISO 20000 with ITIL). Such certifications give substantial credibility and independent ongoing verification.
- Frameworks provide a common language for the business processes, which is useful if the organization interacts with global customers and suppliers who have also adopted these frameworks for their compliance efforts.
- Frameworks have evolved out of “best practices” and experiences of numerous organizations from many parts of the world. Therefore, they help businesses identify practices that make the organization more successful, especially in the current global context.
Use a Sound Risk Management Methodology
Return on investment for security compliance expenditure is not as easy to justify as it may be for investments in plants and machinery.
Failure to fulfill the security compliance requirements, however, is likely to result in risks, such as:
- Security incidents, embarrassments and associated losses
- Penalties from failure to meet regulatory requirements
- Embarrassments and lost opportunities from failure to meet obligations to customers
Establishing and maintaining controls to mitigate these risks involve costs. A prudent business executive would benefit from adopting the appropriate risk management methodology for the enterprise, assessing and treating the risks with appropriate controls (and thereby bringing them within acceptable levels based on cost-effectiveness) and by managing the risks on an ongoing basis.
Compliance itself should be viewed as a risk that must be managed the same as all other risks to the business.1 Business requirements are the drivers used to justify the entire risk management program.
Figure 1 shows all the aspects mentioned previously and the resulting ISMS.2
Make Security Compliance Strategy Part of the Regular Business Strategy and Annual Plans
No organization can fulfill compliance requirements instantly. An initial compliance project could, for example, take an organization from an “initial” state to a “desired” state as shown in figure 2, with the “desired” state having been decided upon by business priorities. Further efforts are required not only to maintain the state reached (“desired”), but also to improve the position. Therefore, it is necessary for the organization’s regular business plan to provide ways of maintaining compliance and ensuring continuous improvement on this front.
This could also mean that the compliance program should be suitably integrated with the strategy of the organization for other management systems, such as a quality management system, and certifications. The organization should pursue certification against standards such ISO 27001 for the ISMS wherever business demands justify.
Integrate the Security Compliance Program Into a Governance Framework
Information security governance involves the development and integration of a management structure and organization with reporting processes that encompass all aspects of a successful security program and will provide assurance to business management that risks are defined and appropriately managed.3 Information security governance is essentially the responsibility of top management.
Figure 3 shows the elements of information security governance, including continuous monitoring and testing of the processes, practices, infrastructure and environment for vulnerabilities, and the provision of the required response in terms of appropriate security remediation through the information security management function, improved defenses, effective controls and change policies, and standards.
Successfully establishing suitable information security governance in the organization is crucial for success in compliance. This would require the direct ownership for the compliance program to be with the top management.
While regulatory pressures and customer demands often heighten the awareness, attention and support for the initial project, ongoing support is ensured only when the compliance program becomes an inherent part of the organization’s governance framework.
Establish a Metrics Program to Support the Security Compliance Initiative
Spending on IT security does not always improve security performance. Rather, it is the effectiveness of the security compliance program that leads to better results. Doing the “right” thing is extremely important for the success of the compliance program.
“What gets measured gets done” is true of information security compliance as well. Hence, to be effective, the organization would greatly benefit from establishing appropriate measurements and metrics that can help in assessing and enhancing the health of the compliance program.
Measurements provide single point-in-time views of specific, discrete factors, while metrics are derived by comparing two or more measurements taken over time to a predetermined baseline.4 Measurements are generated by counting, while metrics are derived from analysis.5 In other words, measurements are objective raw data, and metrics are either objective or subjective human interpretation of those data.6
A select set of metrics can be identified, tracked and reported on consistently to help determine answers for the following questions:7
- Are we doing what we should be doing?
- Metrics in this category help in discerning the gap between the current state and the needed end state, presumably a low-risk stage.
- Metrics in this category help in ongoing improvement of the implemented ISMS.
- Are we doing what we say we are doing?
- Metrics in this category help in discerning the gap between end-user behavior and the organizational policy.
- Metrics in this category help in driving the accountability for risk of noncompliance.
These metrics can be used to report the progress of the information security/compliance program by means of scorecards, including balanced scorecards. The chief information security officer and/or compliance professional can use these to demonstrate to the board the value of the compliance program and to answer often-posed questions8 such as:
- Are we meeting the security compliance requirements better than in the past?
- How do we compare with others in this regard?
- Are we secure and meeting compliance needs sufficiently?
Engage Process Owners and Make the Process as Self-governing as Possible
More and more regulations are holding the chief executive officer and chief financial officer personally liable for noncompliance; therefore, it is necessary that organizations set up processes whereby the accountability for compliance becomes part of the culture in the organization. Such efforts will include:
- Setting up an appropriate reporting and visual display system and using the intranet and internal newsletters to enhance the awareness of the progress and continued importance of the program
- Establishing an effective self-assessment by process owners and automating the process to ensure that this is done routinely
Figures 4 and 5 show the results of self-assessments/audits carried out using software that enables administration of a predefined questionnaire to all the stakeholders on a periodic basis and subsequent consolidation and analysis.
Such a self-assessment process can help engage all stakeholders, lead to corrective and preventive actions becoming routine and, thereby, result in better compliance levels. When this is done in conjunction with an effective internal audit and controls testing process, the result is sustained and successful compliance in the organization.
People Are Key to the Compliance Program
A successful security compliance program is a function of people, process and technology. In many cases, it is the people component that becomes crucial for the success of the overall program, as a capable and motivated team of people can exhibit the correct human behavior and consequently make the right decisions and take action at the right time. In particular, the culture of the people has important implications on the success and the costs of the program. In this respect, it is important to note the following:
- When individuals take action because they consider themselves accountable, the driving factor is the external stimuli making them feel “answerable” and, hence, preventing them from doing things that may not be in line with expectations.
- When individuals take actions because they consider themselves responsible, the driver is their intrinsic desire and motivation to do the right thing.
- Developing a culture in which people feel driven by being accountable would mean that the accountability of top management for security compliance is extended across the organization. Developing a culture in which people feel driven by their need to exhibit responsible behavior would mean sustained and cost-effective security compliance. Responsible behavior comes from ownership and awareness to discern what is right and the knowledge to carry out the right action. Therefore, excellence in security awareness and appropriate security skills are goals to be pursued aggressively.
Establish a Continuous Improvement Process
The overall compliance management process must reach a continuous improvement state, with improvements on the various aspects enhancing the:
- Appropriate use of the framework for compliance
- Correct application of an appropriate risk management methodology
- Integration of the compliance strategy with the business strategy and annual plans
- Integration of the compliance program with the overall governance framework
- Appropriate metrics program for the compliance initiative
- Participation of process owners in the compliance program and the extent of the self-governing nature of the program
- Involvement of the people in the overall program
- The extent to which continuous improvement is realized on all the above as a routine
Figure 6 shows an example of a scorecard with quarter-toquarter progress for a typical organization as the process gets implemented. For the sake of simplicity, each of the criteria is assessed on a scale of 1 to 10, with 10 being the score for the complete and effective implementation and 1 being the score for the worst case. Equal weight is assumed for the various criteria.
As a continuous improvement process gets established, the organization would be able to demonstrate increasing ability to readily fulfill the compliance requirements.
Regulatory compliance and, hence, security compliance are here to stay. Many organizations are increasingly realizing the “ability to fulfill compliance requirements readily” as a competitive business strength. In such a scenario, diligent executives, instead of taking a reactive approach, will do well by making their compliance program systematic, making efforts to improve business processes, using the compliance initiatives and the money spent to establish an ongoing process for compliance and, thereby, turning the compliance program into a competitive business advantage.
1 Spafford, George; “Regulatory Compliance and Security,” 15 December 2005, http://itmanagement.earthweb.com/columns/article.php/3571171
2 Sethuraman, Sekar; A.J. Vijayakumar; “Enhancing Security Compliance of Your Distributed Operations by Selfassessment and Automation,” ISSA Journal, July 2006 6
3 ISACA, CISM Review Manual 2005, USA, 2004, chapter 1
4 Frank, Diane; “Agencies Seek Security Metrics,” Federal Computer Week, 19 June 2000, www.fcw.com/fcw/articles/2000/0619/pol-metrics-06-19-00.asp
5 Jelen, George; “SSE-CMM Security Metrics,” NIST and CSSPAB Workshop, Washington DC, USA, 13-14 June 2000, http://csrc.nist.gov/csspab/june13-15/jelen.pdf
6 Payne, Shirley C.; “A Guide to Metrics,” SANS Security Essentials GSEC Practical Assignment, 21 July 2001
7 Opacki, Dennis; “Building Business Unit Scorecards,” www.adotout.com/BU_Scorecards.pdf, December 2005
8 Op. cit., Jelen
Sekar Sethuraman, CISA, CISM, CIA, CISSP, PGDM (IIMC), CSQA, BS 7799 LA, ISO 20000
Auditor is currently head of IT security (Greater Asia) at LexisNexis. He has more than 25 years of experience and has implemented information security systems for large organizations to fulfill the requirements of international standards such as ISO 17799, BS 7799 and ISO 27001. He has also helped many organizations set up effective incident response and business continuity processes. Sethuraman is the program director for the ISACA Chennai Chapter. He is a frequent speaker on various security topics, including measuring and managing the performance of information security, managing security in outsourcing, incident response, COBIT, ISMS and ISO 17799. He can be reached at email@example.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.