This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

RSA Europe: Compliance is a bi-product of a well-managed system

Share this article:

Efficient compliance can be achieved by having a well-managed security system.

Speaking at the RSA Europe Conference in London, Art Coviello, president of RSA, The Security Division of EMC and executive vice president of EMC, claimed that there is a need to embrace risk-based compliance and focus on the most complex analysis and risk.

He said: “Have a holistic view of your environment, set adequate controls and streamline and automate complex processes.”

He pointed to a recent report that offers recommendations 'to help organisations align their programs to the heightened demands of the new compliance landscape'. This included seven points that recommend strategies:

1. Embrace risk-based compliance: Build an effective enterprise program that provides everyone in the chain - from individual business process owners to the board of directors - with all of the multi-faceted information needed to make risk decisions.

2. Establish an enterprise controls framework: Create a consistent set of controls across your enterprise that is mapped to regulatory requirements and business needs.

3. Set/adjust your threshold for controls: Determine the 'right' level of security controls and gauge the prevailing industry standard to meet the legal requirement for 'reasonable and appropriate' security measures.

4. Streamline and automate compliance processes: Establish an enterprise governance, risk and compliance (eGRC) strategy that consolidates all of the information necessary from across the organisation to manage risk and compliance and provide visibility into controls.

5. Fortify third-party risk management: Move away from 'boilerplate' security agreements and towards comprehensive third-party strategies that focus on: diversification, due diligence, rigorous contractual requirements, consequence management and governance.

6. Unify the compliance and business agendas: 'Operationalise' compliance and develop the organisational structure required to fully embed compliance into the business and align it with the organisation's highest-priority goals.

7. Educate and influence regulators and standards bodies: Educate legislators and constructively affect regulation to avoid overly prescriptive rules that will cripple business.

“The security industry does not have a system that integrates people, process and individual security controls that can be managed with the same kind of correlated, contextual and comprehensive view used by the aviation industry to guarantee the safety of our airways. Information security management needs to function as a system capable of effectively and efficiently managing our information infrastructures, providing visibility, manageability and control across all three domains – physical, virtual and cloud. We need a system that enables us to close the gaps of protection and apply controls in a more holistic, systemic manner, centralising management not just for some vendor controls, but for all,” said Coviello.

Tom Heiser, chief operating officer at RSA, also likened security systems to air traffic control and said that there is no system to process people such as there is with planes. He said: “A system is composed of critical components and IT teams are stranded with managing policy and often, clustered with different tools saying what is good and what is bad.

“In the end the goal is to simplify management and enhance alignment between the security team responsible for defining security policy and the operations team charged with implementing that policy. By integrating these technologies, systems and feeds, we enable a holistic approach to risk management and compliance; a single view to the most important security and compliance elements across the entire IT environment.  In effect, we've built our version of air traffic control for the traditional information infrastructure.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Shellshock: Millions of servers under attack

Shellshock: Millions of servers under attack

In the wake of Shellshock, end-users and security managers race to patch web servers and desktops, but may be forgetting vulnerable embedded devices.

Londoners agree to give child away in return for free WiFi

Londoners agree to give child away in return ...

Hundreds trapped and exposed by fake 'poisoned' WiFi hotspot.

Cybercrime-as-a-service the new criminal business model

Cybercrime-as-a-service the new criminal business model

A new report from Europol's European Cybercrime Centre (EC3) reveals that cybercrime is being increasingly commercialised, and by criminals who use legitimate services to hide their activities.