Compliance vs. Security: Building a Sustainable Information Security Management System

Cybersecurity and the numerous regulatory frameworks that have been introduced to ensure the security of critical infrastructure through compliance have become overly burdensome for the owners and operators of critical infrastructure. ISO, NIST, NERC, FERC, SOX, ITIL, COBIT: These are just some of the frameworks end users may have to comply with on a daily basis.

In many organizations, compliance programs are often siloed and driven to meet one particular framework. The compliance and security teams within these organizations find themselves at cross-purposes because they see compliance as an extra burden instead of an essential part of a culture that’s driven by security. How often have you heard “I’m a security guy. I don’t do compliance.” or “I don’t have time to do my real job because I’m stuck doing all of this compliance stuff.”? If the answer is weekly, daily, or even hourly, your organization’s culture and strategy surrounding compliance and security need to be thoroughly re-evaluated.

---

How often have you heard "I'm a security guy. I don't do compliance."?

---

Policy and process refinement, top-down awareness of security and compliance responsibilities, training for the entire organization, and deploying the right technologies are the critical components of a sustainable security program that will stand up to any regulatory framework that comes forward, and they’re the foundation of an effective information security management system (ISMS).

Security-Driven vs. Compliance-Driven Organizations

As the number of regulatory mandates increases, many organizations are implementing compliance programs in order to meet those requirements, assuming that being compliant will also make them secure. While compliance and security are intertwined, they’re not the same thing.

• Compliance is concerned with adhering to guidelines and specifications established by regulatory agencies and standards organizations, with the goal of demonstrating adherence during a formal assessment or evaluation, such as an audit.
• Security is concerned with establishing and maintaining protective measures to allow an organization to perform critical functions despite any actual or potential risks posed by threats to its information systems. The goal of security is to protect against unauthorized access to, and intentional, but unauthorized destruction of, information.

All too often, companies implement multiple standards or frameworks to meet particular compliance requirements, resulting in redundant and inefficient processes that constrain resources and increase costs by requiring additional employees to support them. Consider the following example: Company A is ISO/IEC 20000-certified and subject to both NERC CIP (North American Electric Reliability Corporation – Critical Infrastructure Protection) and PCI (Payment Card Industry) compliance. There’s a separate group of employees responsible for implementing and maintaining each standard, and each standard has a requirement for protecting systems against malicious code, as shown below:

Due to the nature and wording of each of the requirements, each group could be protecting the system from malicious code in vastly different ways, but achieving the same results.

Often, the initial intent behind applying dedicated resources to each standard or framework is to ensure that each effort receives sufficient attention to keep important details from falling through the cracks. Unfortunately, the silos created by these efforts tend to have the opposite effect.

---

All too often, companies implement multiple standards or frameworks, which constrains resources and increases costs.

---

Following on from the previous example, Company B is also ISO/IEC 20000-certified and subject to both NERC CIP and PCI compliance. However, instead of implementing controls from each standard, Company B has chosen to follow the ISO/IEC 27002-2005 Code of Practice for Information Security Management. ISO/IEC 27002 control 10.4, Protection Against Malicious and Mobile Code, provides the same protection as all of the controls in the previous example:

By pooling resources and implementing controls that are common to all of the groups, Company B is able to develop a security-driven program where compliance is a natural byproduct.

Another byproduct of the “one control” method is the ability to integrate compliance-specific processes with existing processes. In many cases, making a small change or addition to an existing process allows the company to meet its regulatory requirements without burdening employees with entirely new processes.

Program Design

There’s plenty of documentation and guidance available on building an ISMS, but building a sustainable system requires some thought. To ensure the organization is able to successfully meet any applicable compliance requirements, accountability for all compliance and security activities should be simplified, standardized, and clarified. Some essential things to consider are:

• Roles and responsibilities: Ideally, the group responsible for implementing and maintaining the program will include a program manager, a training specialist, a communications specialist, and sufficient staff to carry out the group’s day-to-day functions. This may include developing and maintaining appropriate policies, procedures, and standards, keeping the organization apprised of changes in compliance standards, and gathering data as required to meet internal and external requests for information.
• Organizational structure: To whom will the program report? A first thought may be to have the program managed by an existing group in the security organization. However, if the program has any responsibility for conducting audits or making recommendations to evaluate and maintain internal security standards, there could be a perceived conflict of interest. An alternative could be to have the group report directly to the CIO, CTO, or CSO. In addition to removing a potential conflict, this structure will also provide the group with the authority it needs to conduct audit and evaluation activities.
• Relationships with other organizations: Will this group be a point of contact for other organizations in the company, such as regulatory compliance or physical security? Will this group be part of another organization’s reporting structure?

Positioning this group strategically and clearly defining roles and responsibilities are crucial to ensuring its success. If the program is buried at the bottom of the organization, not appropriately staffed, or not given sufficient attention by management, employees may view it as just one more thing that doesn’t affect them and can, therefore, be ignored.

Cultural Change

Transitioning from being a compliance-driven organization to a security-driven one is bound to have an impact on your organization’s culture. Change always does.

Even though combining processes and procedures will make it easier for people to do their jobs (for example, by requiring them to know only one procedure to accomplish a task, regardless of the regulation or standard governing the task), it’s still a change. Effectively communicating the change is essential. Likewise, management support is, as always, crucial. If employees don’t perceive the changes to be important to management, the changes won’t be important to them.

---

Shifting focus from compliance to security is bound to have an impact on your organization's culture. Change always does.

---

Another key to managing change is training. If employees aren’t given the training required to help them understand new policies, processes, and procedures, the chances that they’ll accept the changes are minimal. Providing multiple opportunities for training in various formats is essential to the program’s success.

Technology Integration

The final thing to consider when building an ISMS is technology. Leveraging technology is vital in terms of both sustainability and efficiency. Some technology solutions to consider are: 

• Governance, risk management, and compliance (GRC)
• Identity and access management (IDAM)
• Security event and incident management (SEIM)
• Configuration management system (CMS)

While technology solutions will make sustaining an ISMS easier, technology is not a magic bullet. If your processes aren’t well defined and actionable, implementing a technology solution won’t make them so. It’s extremely important to set realistic expectations for resourcing, both internally and externally. If feasible, engaging a centralized project management office (PMO) will greatly increase the likelihood that the solution selected will meet the organization’s needs.

Securing Success

There’s no avoiding the fact that regulatory requirements will continue to play a bigger role in the way organizations operate in an ever-expanding range of industries. Broadening our view to see these requirements from a security standpoint, instead of focusing on individual mandates, greatly increases our chances of successfully securing our critical infrastructures.

Michele C. Bonner has more than twenty years of experience in the IT industry. She currently serves as an ITSM Process Advisor in Austin Energy’s IT Quality Management group, which leads and manages the implementation and maintenance of the IT Service Management program. Michele is a priSM-credentialed Professional in Service Management and an HDI Certified Help Desk Manager, and she holds a number of ITIL and ISO/IEC 20000 certifications. Michele has been a member of itSMF USA since 2005, and is a past member of the board. She was also a founding member of both the itSMF USA Austin LIG, where she has served in various leadership roles, and the HDI Austin local chapter.

This article first appeared in the July/August 2014 issue of SupportWorld.