RSA Europe: Compliance is a bi-product of a well-managed system
Efficient compliance can be achieved by having a well-managed security system.
Speaking at the RSA Europe Conference in London, Art Coviello, president of RSA, The Security Division of EMC and executive vice president of EMC, claimed that there is a need to embrace risk-based compliance and focus on the most complex analysis and risk.
He said: “Have a holistic view of your environment, set adequate controls and streamline and automate complex processes.”
He pointed to a recent report that offers recommendations 'to help organisations align their programs to the heightened demands of the new compliance landscape'. This included seven points that recommend strategies:
1. Embrace risk-based compliance: Build an effective enterprise program that provides everyone in the chain - from individual business process owners to the board of directors - with all of the multi-faceted information needed to make risk decisions.
2. Establish an enterprise controls framework: Create a consistent set of controls across your enterprise that is mapped to regulatory requirements and business needs.
3. Set/adjust your threshold for controls: Determine the 'right' level of security controls and gauge the prevailing industry standard to meet the legal requirement for 'reasonable and appropriate' security measures.
4. Streamline and automate compliance processes: Establish an enterprise governance, risk and compliance (eGRC) strategy that consolidates all of the information necessary from across the organisation to manage risk and compliance and provide visibility into controls.
5. Fortify third-party risk management: Move away from 'boilerplate' security agreements and towards comprehensive third-party strategies that focus on: diversification, due diligence, rigorous contractual requirements, consequence management and governance.
6. Unify the compliance and business agendas: 'Operationalise' compliance and develop the organisational structure required to fully embed compliance into the business and align it with the organisation's highest-priority goals.
7. Educate and influence regulators and standards bodies: Educate legislators and constructively affect regulation to avoid overly prescriptive rules that will cripple business.
“The security industry does not have a system that integrates people, process and individual security controls that can be managed with the same kind of correlated, contextual and comprehensive view used by the aviation industry to guarantee the safety of our airways. Information security management needs to function as a system capable of effectively and efficiently managing our information infrastructures, providing visibility, manageability and control across all three domains – physical, virtual and cloud. We need a system that enables us to close the gaps of protection and apply controls in a more holistic, systemic manner, centralising management not just for some vendor controls, but for all,” said Coviello.
Tom Heiser, chief operating officer at RSA, also likened security systems to air traffic control and said that there is no system to process people such as there is with planes. He said: “A system is composed of critical components and IT teams are stranded with managing policy and often, clustered with different tools saying what is good and what is bad.
“In the end the goal is to simplify management and enhance alignment between the security team responsible for defining security policy and the operations team charged with implementing that policy. By integrating these technologies, systems and feeds, we enable a holistic approach to risk management and compliance; a single view to the most important security and compliance elements across the entire IT environment. In effect, we've built our version of air traffic control for the traditional information infrastructure.”