Security expert: Communication breeds compliance

SAN DIEGO — Companies are under increasing compliance pressure on a number of regulatory fronts, but the biggest stumbling block to meeting requirements is an internal divide, according to David Mann — executives and IT professionals don’t speak the same language.

Mann, security strategist

with Bindview Corp., told an audience of infosecurity professionals at Microsoft’s TechEd conference this week that IT people have to learn to speak the language of the businesses they serve. He cited, as an example, a conversation between a friend and her three-year-old son, playing out of sight in the basement:

Mom: Whacha doin’?

Child: Nuthin’.

Mom: Whacha doin’ it with?

Child: A hammer.

“”I don’t want to draw the comparison between executives and three-year-olds with hammers,”” Mann said. The point is that IT professionals have to ask the right questions to get usable answers.

Mann breaks down the compliance pyramid into business processes — the area where executives focus on application controls, and general controls — the infosecurity and infrastructure level where IT has the most influence. “”Here’s part of the communication gap,”” he said. “”You’re interested in servers and bandwidth. That’s noise to them.””

There is good news for IT pros, though. While companies are besieged by regulatory requirements — U.S. firms have to contend with Sarbanes-Oxley, Canadian and EU privacy laws, the Basel Accords, the Patriot Acts and more– the requirements are largely the same, Mann said.

“”The most important aspect of your compliance strategy is your security policy,”” Mann said. “”Every auditor I’ve spoken to says the first thing they look at is your policy.”” A good place to start is ISO standard 17799 — based on British standard BS 7799 — which covers the bases well, except for particular vertical requirements.

Incorporating best practices makes executive comfort levels go up — IT pros don’t have to explain details about encryption and authentication. There’s no need to reinvent the wheel, Mann said — auditors already know what they’re looking for.

And it’s important to position compliance policy as a continuous process, not a one-off project. The process begins with the creation and publishing of rules, their application and verification, then the cycle begins again. “”The key thing is you’ve got to close the loop,”” Mann said.

Mann recommends that IT pros working on a compliance framework “”leverage existing intiatives”” — in other words, hijack a project to demonstrate how it can be applied. Risk and gap analyses are fine, but can be expensive, and provide diminishing returns. The more pragmatic alternative is to target an existing effort for compliance as it comes out of the blocks. “”Make it compliant. Demonstrate success,”” and use the momentum to get buy-in from the suits, he said. Wrie the policy to suit the hijacked project only. A crude gap analysis can be used for Round 2.

This works well in a context where the policy is modular and hierarchical — two important characteristics of a compliance strategy. The four levels of a policy are the charter, the broad business statement that a company will comply; the policy, which explicitly states the compliance goals; standards, which specify how it gets done, and by whom; and technical standards — specific configurations, “”where the rubber meets the road,”” Mann said.

Further advice from Mann: document everything — CYA — and sleep well when you’ve done your job. “”You can’t force executives to comply. That’s the SEC’s job,”” he said.

Comment: [email protected]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Dave Webb
Dave Webb
Dave Webb is a technology journalist with more than 15 years' experience. He has edited numerous technology publications including Network World Canada, ComputerWorld Canada, Computing Canada and eBusiness Journal. He now runs content development shop Dweeb Media.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.