"A common, and fundamentally flawed, approach to meeting information security goals is to focus exclusively on achieving compliance," said Gene Kim, CTO and Co-founder of Tripwire. "Organizations who follow this approach tend to follow a cycle of crisis-driven audit preparation, audit, audit findings, remediation and retesting -- which may also be followed by a highly political search of who is to blame for an unsuccessful audit."
In an effort to help organizations break this vicious cycle and ensure that information security becomes an integral part of daily business operations, Kim recommends that businesses adhere to the following nine best practices:
1) Align with the tone at the top -- Ensure that compliance activity is clearly managed from the top down. 2) Create a set of merged information security and compliance/business goals -- Document IT governance goals and risks to achieving those goals, and confirm that information security and compliance helps achieve those goals. 3) Define ideal information security goal indicators -- Develop theoretical ideal indicators that demonstrate that information security goals are being met. 4) Gain an end-to-end understanding of information flow -- Do an end-to-end business process walk-through to understand and document:
* Where sensitive information enters, transits, is stored, and exits the organization * Specific risks to organizational goals and information flow * Where reliance is placed on technology to prevent and detect control failures
5) Agree upon control ownership, roles and responsibilities -- Clearly define roles and responsibilities for audit compliance activities at the process owner level. 6) Define the control tests so business process control owners will agree with the results -- Make sure evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand. 7) Schedule and conduct regular control tests -- Conduct tests of controls effectiveness frequently enough to be able to rely on their effectiveness regardless of variances in audit scope and timing. 8) Organize metrics and remediation reports -- Track the completion of required remediation work, ideally to be completed well in advance of the audit. 9) Detect and respond to significant changes to the control environment -- Have the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redone (for example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).
Gene Kim will present to information security professionals on this topic today at the Gartner Security & Risk Management Summit in National Harbor, Maryland at 4 p.m. ET, during a session titled "Avoiding Audit Fatigue: Achieving Compliance In A Multicompliance World." To download a whitepaper on the topic, please visit: http://www.tripwire.com/register/?resourceId=9854&cat=Compliance&type=wp/.
About Tripwire Tripwire is a leading global provider of IT security and compliance automation solutions that helps businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.