Compliance means ensuring an organization is complying to the minimum of the security-related requirements. Security is a clear set of technical systems and tools and processes which are put in place to protect and defend the information and technology assets of an enterprise.
Information Security Compliance is about protecting the confidentiality, integrity, and availability of information and technology assets within an organization.
There are numerous government, industry, and other regulations which determine the specific security requirements of an organization.
The goal of information security compliance is to achieve at least an A grade with respect to minimum compliance requirement for each of the regulations.
Examples of the regulations include:
- Basel II regulations
- US Treasury Federal Information Processing Standard (FIPS) 140-2 for the Federal Information Security Management Act (FISMA)
- Cyber Security Enhancement Act of 2002 (CSEA)
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- EU Data Protection Directive
Creating Compliance Requirements within an Enterprise
Information security compliance is deeply inter-related to enterprise compliance, which governs healthcare provider organization or other business continuity requirements and objectives that are derived from the above legal requirements and at the same time protect its organizations patients.
So, the compliance approach is about defining the compliance requirements rather than about just applying security controls to meet regulatory requirements.
Information Security Compliance Process
There are 3 fundamental stages to processes that accomplish this goal:
Identify the applicable compliance requirements. This is to ensure that an organization is aware of all compliance requirements that it needs to comply to or that are specific to the industry and sector that it operates in. The compliance requirements vary and can be significant. Enterprise architecture. This is to ensure the information security compliance architecture is put in place as a stable and effective structure to ensure the health of the information and technology assets to reach all of the compliance requirements.
This generally includes identifying and assessing risks for each multiple control and risk domains including people, process and technology. This is also to design the risk management controls and processes for the organization, including control implementation, risk assessment, control testing and controlling the risks to ensure they are as low as reasonably possible. Implement the compliance requirements. This is to ensure that all of the security requirements are being implemented as part of the ongoing operations and is to periodically review that each of the compliance requirements are being met.
Ensuring the effectiveness and accuracy of an enterprise’s health and security
Compliance means ensuring the accuracy and effectiveness of the health and security state of an enterprise (i.e. organization).
Compliance is important as it good for the organization and good for the people within the enterprise. Having an organization that is in compliance with the compliance requirements means:
- Organization is trusted – It means an organization is headed and managed well.
- More opportunities for sales and employees – It means an organization is headed and managed well, which will help ensure that the organization is more resilient and competitive in the market place.
- Less expensive fines and penalties – It means an organization is headed and managed well, which will help ensure that the organization is more resilient.
- Surety for employees and customers – It means an organization is headed and managed well, which will help ensure that the organization is more resilient.
- Prevention of reputational damage and loss of investment – It means an organization is headed and managed well, which will help ensure that the organization is more resilient and competitive in the market place
The methods and concepts associated with Information Security Compliance are related to Risk Management.
Traditionally, Risk Management has been quite a generic term and there is ambiguity with respect to the association with information security.
Risk management, traditionally, is more aligned with a process, whilst Information Security is something that is associated with a set of tools and techniques such as a Security Policy, Security Standards, Security Procedures, Security Controls and so on.
For organizations that are highly mature and implemented Information Security as an important part of its operations, the association with Information Security is that the requirements are an extension of the Security Management Process being followed within the organization.
For organizations in an earlier state of maturity, it is less likely to be implemented as part of the Security Management Process.
The general principles, however, is that risk is assumed to be present and that to reduce risk and respond to it appropriately, the organization will need to implement risk management processes and tasks.
This is because risk is assumed to be present and a standard component of the operations of an organization, and the control objectives are to reduce the risk and respond to the risk appropriately.
But what is Important is that the procedures and controls are within the context of the values and culture of the organization.
In addition to this, the risk management procedures and controls should be embedded within the risk management process and carried out on an ongoing basis.
This is an important point, as other information security activities, such as assessment and testing, are carried out on a one-off basis.
The processes should also incorporate the organization’s Information Security Policy, Strategy and Threat Assessment, and incorporate the risk management tasks within the implementation of these processes.
Risk Management is about creating an environment wherein risk and information security are well understood, measured, prioritized, avoided and mitigated.
The main purpose of an organization implementing risk management is to reduce or contain its risk. Risk is assumed to be present and a standard component of the operations of an organization.
It is assumed that the risks present are potentially undesirable, as well as potentially beneficial opportunities. The purpose of risk is to ensure that the business plans and strategies are sustainable and are aligned to the overall goals of the organization.
Risk management can occur at three levels at an organization:
- Business level – Aligning plans and strategies of the organization to its overall goals and objectives.
- Operational level – Risk management activities to ensure that the organization is operating efficiently and effectively to reach its goals and objectives.
- Tactical level – Risk management activities to ensure that the organization is operating efficiently and effectively to reach its goals and objectives.
What is important is that the risk management activities recognise and respond to the strategic goals and objectives of the organization.