According to Ben Wright, a SANS Institute instructor and attorney specializing in IT compliance and security law, the organizations that don't write policies with flexible enough language to account for business and technology changes are setting themselves up for failure.
"Policies are written to require methods or technologies that will not make sense in all circumstances as time goes by. Any organization is constantly changing. After a policy is written, the organization's capabilities can change on account of things like merger, downsizing, or bankruptcy," Wright says. "A policy setting many hard requirements may not always be followed, possibly for very good economic or operation reasons."
In general, organizations have to work to not only future-proof internal policy documents, but also to align current security practices with sometimes outdated regulations.
"Most compliance requirements are a decade old and do not reflect the current work environment. One of the best examples would be PCI -- the world has gone virtual and only this past year did we see any meaningful guidance from PCI regarding virtualization," says Paul Henry, security and forensic analyst for endpoint security firm Lumension. "Organizations need to work closely with auditors to validate that within their environment using current generation technologies that the compliance mandates are being met."
5. Compliance Is Isolated To IT
While the buck stops at IT's doorstep when it comes to carrying out compliance objectives, many organizations fail because line-of-business executives and the legal department aren't looped into the process.
"You need buy-in across the board for a workable compliance effort," Henry says. "Each stakeholder will have different views of compliance; bringing everyone to the table to create the vision of compliance as providing better vision in to business processes can actually reduce security risks while improving traditional business processes and reducing legal exposure is a key element to success."
6. Businesses Bite Off More Than They Can Chew
While there are certainly plenty of compliance mandates piled onto organizations involuntarily -- PCI, SOX, and HIPAA come to mind -- many organizations bring more unnecessary compliance work upon themselves before they're ready.
Before enterprises embark on the road to complying with something like SAS 70, Cobi,t or ISO standards, they need to be sure they're ready for the process and that the objective really is necessary and aligns with business objectives.
"I think the biggest mistake is biting off more than the organization can chew," says Michael Figueroa, senior vice president at security consulting firm InfusionPoints. "A lot of organizations hear the buzzwords and say, 'We should be SAS 70 compliant,' or, 'We need to be ISO certified,' without really understand what it means to do that. Then they either end up trying to do everything they can to get that piece of paper without actually following the policies they say they will, or they get overwhelmed and try to hide things from the auditors so they can get that piece of paper."
7. Policies Aren't Tied To Assessment Or Automation
When organizations write compliance policies that can't be properly assessed, there's no way to measure or prove they're being followed.
"If you cannot observe its state over time, it’s impact on your security is minimal and should not be part of your governance program," says Tim "TK" Keanini, CTO of security and compliance auditing firm nCircle.
Similarly, organizations tend to fall down on compliance when they do everything manually.
"Automation has to be applied to as many security processes as possible because it is the only way to get a comprehensive handle on the rapid changes in the threat environment," says Keanini, who suggests organizations review quarterly those processes that can't be automated in case new technology comes on the market to change the game. "New or more affordable technology may be available to help do things that were previously impossible.”
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.