Compliance Policy Development: Do's And Don'ts - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Analytics

Compliance Policy Development: Do's And Don'ts

Consider this advice to make sure your governance and compliance policies are written wisely.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Compliance fatigue can afflict just about any enterprise facing the growing list of regulatory requirements placing pressuring on its security practices. Sometimes it might seem that there is just not enough money or time to keep up. But governance, risk, and compliance (GRC) experts believe that the key to bringing things into equilibrium is a solid foundation set by unified policies that can guide security standards and procedures to both minimize risk and comply with regulations now and in the future.

Unfortunately, many organizations today fail to do a good job establishing effective policies. Dark Reading recently talked to some experts in the industry, who offered some helpful tips on what organizations should and shouldn't be doing when developing their security and compliance policies.

-- Don't get bogged down in individual regulations. "Organizations today have numerous government and industry-specific regulations that they need to be mindful of," said Andres Kohn, VP of technology at Proofpoint. "The evolving regulatory environment becomes even more complicated due to multi-regulation and cross-border regulations."

Not to mention Gartner's predicting that by 2014, 70% of IT risk and security officers in Global 2000 organizations will be required to report annually to the board of directors on the state of security, Kohn said. He believes that with so many individual requirements it can be easy to get mired in the details.

"Don't be bogged down by specific regulations," he said, warning that creating policies off-the-cuff to fit specific regulatory mandates can lead to trouble. It makes more sense to develop a policy framework that can be managed and adjusted upon as required by all risk considerations, including new mandates.

-- Do let risk lead policy decisions. No matter what industry you're in, Rick Doten, vice president of cyber security for DMI, says it is important to always remember security's number one motivator: cyber security is all about managing risk. So let risk considerations lead policy decisions and then map compliance reporting to that, not vice versa.

"For instance, regulatory compliance is considered one of the primary business risks for industries such as the energy utilities. The National Energy Regulatory Commission (NERC) can fine a company up to $1 million a day for non-compliance," Doten says. "Others, such as the large financial institutions, have dozens of regulations they need to follow. They focus on building a security program where controls are appropriate to protect the business, and consider regulatory compliance as merely a reporting exercise to show how their controls map to meet the regulatory criteria."

Read the rest of this article on Dark Reading.

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll