Responding to compliance-driven IT security requirements

Managing the requirements placed on your organization by management, third-party consultants, and internal and external auditors typically entail demonstrating and reporting of specific security controls. These controls align with internal corporate policies or external government regulations specific to your industry or type of business.

Unfortunately, many organizations achieve compliance through a cycle of last-minute heroics to generate proof of controls for auditors. This moment-in-time approach to compliance increases the workload, and escalates cost. Yet it still does not protect your organization from the ever-increasing number of sophisticated security threats.

Recognizing that compliance with a policy or regulation often works on a sliding scale, Gartner and others assert that demonstration of, or support for, compliance should involve these three key factors:

• Accountability: Accurate surveillance to report on who did what and when

• Transparency: Visibility into the security controls, business applications and assets that are being protected

• Measurability: Metrics and reporting of IT risks within a company.