Compliance Burden - Forest for the Trees?
In my experience many organizations are overwhelmed by compliance
activities and lose sight of what INFOSEC programs are meant for,
insulating the organization against unacceptable risk.
When security resources are taxed with compliance activities, their core
duties suffer. Common distractions include:
* Trying to map applicable regulations into policies, procedures, standards
and associated technical solutions
* Implementation of compliance related directives (hundreds of controls)
* Facing off with auditors from multiple organizations
* Remediating audit report findings
Compliance burden is compounded by reluctance to conduct additional
activity due to cost concerns and resource constraints. Management is
likely to be of the opinion that compliance with multiple regulations
should adequately protect the organization.
The shear number of required controls may lead to minimum compliance rather
than a focus on security (i.e. looking to fill the check box). Left to
these activities alone, the information security program suffers.
Second to compliance, there is a focus on the threat posed by external
entities. INFOSEC professionals know one of their core duties is to keep
hostile outsiders from inflicting harm on the organization.
Compliance burden and a focus on external threats can leave internal
vulnerabilities in place. In part this is due to resource constraints.
Regulations contribute by speaking to internal controls at a high level,
leaving room for interpretation (and check boxes). There may also be
reluctance to monitor and control employee accesses for fear of offending
someone. For more information, see my article on insider threat:
http://www.gideonrasmussen.com/article-13.html
Kind regards,
Gideon
Gideon T. Rasmussen
CISSP, CISA, CISM, IAM
Charlotte, NC
http://www.virtualcso.com
http://www.ussecurityawareness.org
http://groups.yahoo.com/group/insider-threat
http://tech.groups.yahoo.com/group/security-awareness
Posted:
Wed Oct 4, 2006 11:41 pm
Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices