We need to comply with .. is a phrase that will send quivers of fear, loathing, despair, or joy through many a security person's body. Fear, because you have been through it before and know what is around the corner. Despair and loathing, because you are told to to the basic minimum to comply rather than doing it properly. Joy, because at long last you get some budget and possibly some new toys to play with. Regardless of which feeling the phrase evokes in you, the ultimate truth is, the organisation will have to comply and you are likely going to be involved with it. Rather than resist it, work with it and make whatever you have to comply with work for the organisation.
Other than relevant laws and regulations there are quite a number of things you could possibly have to comply with SOX, NIST, ISM, ISO 27001, SABSA, ISM3, Cobit, ITIL, PCI-DSS, and more. Some of these are mandated by external parties and you will have to comply, for some the organisation may have made a decision to comply to address issues, become more competitive or any number of reasons. Quite a few organisations will have to comply with a number of these and at first glance they may not play nicely together.
So why is compliance important?
One of the things Ive learned over the years are two information security basics. Nothing changes and Everything changes. A bit contradictory I agree, but let me explain. We all know that Information Security is one of the more dynamic fields in IT. Attacks are constantly changing and often require different defenses. New technology means we have to change the way in which we secure things. So everything changes, quite often and quite rapidly. On the other hand, nothing changes. When you step back from the nuts and bolts we have the same challenges weve had for years and years. We have to protect our boundaries, we have deal with malware, we have to set policies, we have to educate users, we have to identify risks and deal with those. No matter how the attacks change, no matter what technology is introduced those basic functions still need to be done. That is where compliance can help you out. Compliance can help change a security group from a bunch of people fighting fires to a group of people that has the right equipment and can stomp on a fire when it first ignites, or even better, can prevent it from taking hold in the first place.
What can compliance do for you:
Ensure processes are documented
Provide information to those that need it, when they need it
Provide guidance to resolve issues
Ensure basic security processes are done regularly and consistently. e.g. user review, risk assessments, projects, etc.
Provide metrics that demonstrate things are secure
Help the organisation reduce costs e.g. reduce merchant fees. streamline processes,
Stop you having to solve the same issue over and over again
Improve Security's profile in the organisation
The one thing compliance cant do for you is make you secure. You can be fully compliant with a number of standards, but still be insecure. The main reason for this is because there are quite a number of organisations that only comply because they have to. Two weeks or maybe even a month before the compliance audit there is a huge effort to make sure everything, that is likely to be audited, is compliant with the standard. Sometimes the effort is whilst the audit is happening. Ive had a few in the last year where a document miraculously appeared with a creation date of 2 hours after the document was requested. To me that is the wrong approach and you are reducing something that can be worthwhile to a painful, wasteful effort. Likely more expensive as well.
When you comply with a standard and it is done well, the processes should be smooth, fit with current practices and not adversely impact other activities that need to take place. Yes there will be some impact on the running of the team or organisation, but the impact can be managed. If you find that a process is not working for you, change it. There is likely a better/easier way to do it and most standards allow you to do this. PCI-DSS for example is very prescriptive. There are certain things that you must do, no argument, but the standard doesnt tell you how you must do it (you just have to convince the auditor that what you are doing is acceptable).
The next time you hear the phrase We need to comply with ....., treat it with joy. You have the opportunity to sort out some processes that may not have been working very well. You may get new kit to play with. If you tackle it well security will have an increased profile in the organisation (a good one for a change).
When you are asked to do the minimum to comply, point out that doing it properly has benefits for the organisation. Better documentation, better processes and because you are doing it right better security.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.