Good security can aid compliance

As regulatory deadlines approach, companies often scramble to put plans into place, diverting employees from their regular tasks to work on documentation and other deliverables. If your company is scrambling to deal with regulatory compliance, then there is a much greater underlying problem that can't be blamed on a lack of budget or staff within the information security group.

If you combine the myriad security and privacy regulations, there is roughly an 80% commonality between all of them. The Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, Securities and Exchange Commission Rule 17a, Senate Bill 1386 and countless other new regulations coming down the pike all deal with fundamental issues of computer security and privacy.

The most pragmatic way to handle regulations is to create an effective information security foundation and infrastructure. This enables an organization to easily deal with any new regulation that comes into law.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

As regulatory deadlines approach, companies often scramble to put plans into place, diverting employees from their regular tasks to work on documentation and other deliverables. If your company is scrambling to deal with regulatory compliance, then there is a much greater underlying problem that can't be blamed on a lack of budget or staff within the information security group.

If you combine the myriad security and privacy regulations, there is roughly an 80% commonality between all of them. The Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, Securities and Exchange Commission Rule 17a, Senate Bill 1386 and countless other new regulations coming down the pike all deal with fundamental issues of computer security and privacy.

The most pragmatic way to handle regulations is to create an effective information security foundation and infrastructure. This enables an organization to easily deal with any new regulation that comes into law.

Companies are missing the point when they deal with each regulation as a discrete effort that needs to be complied with. This myopic view of regulatory compliance creates a situation in which organizations are constantly reinventing the wheel and wasting time and effort. Given the 80/20 rule, which posits that 80% of regulatory requirements fall within a small set of parameters, having a security foundation means that, at worst, you'll only have to initiate "fire drills" to deal with the other 20% of requirements.

Organizations often don't realize that security and compliance are not absolute states. Computer security is essentially a compromise between risk and usability. By performing risk assessments and understanding what its risks are, a company can discover how to secure its systems effectively. Similarly, compliance is a negotiation between a company and its auditors and regulatory bodies. Organizations that have this security foundation can create a defensible position with respect to whatever regulation the auditors are dealing with that week.

So what is to be done? Above all, organizations need to create security around a formal framework, such as the (ISC)2 Common Body of Knowledge, ISO/IEC 17799 or the Information Security Forum Standard of Good Practice. This shows a company is serious about security.

Companies that have developed effective information security programs have accomplished their goals by focusing on security from a framework of risk mitigation and dealing with those risks using these frameworks. The advantages to such an approach are powerful, as the recurring costs to comply with current and proposed regulations are a fraction of what they would be if such a framework were not used.

Regulations are like a baseball pitcher with a variety of different pitches. A good catcher can catch whatever pitch is thrown at him. A good foundation ensures that all work will be in the strike zone and obviates all wild pitches.

Rothke is a senior security consultant with INS and the author of Computer Security: 20 Things Every Employee Should Know. He can be reached at ben.rothke@ins.com.

Read more about security in Network World's Security section.