10 Simple Steps to Security Compliance
May 30, 2013
Editor's Note: Our security expert Steven Hardwick of Oxygen Finance wraps up his tutorial on the process of compliance by providing the list below -- written out as directly as if it were self-help advice in a magazine. Help yourself to a better grasp of meeting any security requirements, especially those which may present themselves for the first time after a migration.
By Steven Hardwick, CISSP
Oxygen Finance
Last in a series
Putting a security program in place can be very simple and extremely effective. Another advantage is that the mitigation effort can be done over a period of time, spreading out the cost and effort required. Plus, this will get more people involved and help create awareness and make compliance easier. Finally, an on-going program will give on-going protection against a breach.
Mapping it out
Here are 10 simple steps that can be followed to help make the process of compliance a lot easier:
1) Identify the various information types that are in your organization. This is called a data categorization exercise. This will give a good understanding of what needs to be protected.
2) Pick a security framework to build a model of what type of security controls you need in your organization.
3) Breakdown the controls into Physical, Technical and Administrative to highlight the owner of the control.
4) Take stock of what is in place already by completing an internal audit. This can be done using internal resources or external companies can be hired to conduct it.
5) Create a baseline. This will give a set of security controls that are in place and broken into definable categorizes. This jump start will make a compliance exercise a lot easier.
6) Pull the team together. Once the baseline has been established, the job of conducting a compliance exercise is a lot easier. Getting the help of the control owners at this point becomes more effective as a lot of the heavy lifting has already been done.
7) Conduct the compliance assessment. At this point the target data, security controls and owners have been identified.
8) Present results and define a mitigation strategy. This will involve taking the results to the right level -- more often that not, the CEO level.
9) Once the mitigation is complete, conduct another assessment against the compliance requirements to make sure everything has been addressed. It is always a good idea to include the baseline set in this assessment as it will re-establish the baseline
10) Start/continue the ongoing security program making sure that it takes into consideration any new security controls added during the assessment stages.
Security regulatory compliance can be a nasty business. With the right approach, the disruptions can be minimized. With the right understanding of the compliance goals and effort, a better view of what is being protected can be gained. Splitting the task to the right owners is essential to minimizing effort and getting the right people involved to make decisions. Establishing a baseline and maintaining a security program will make compliance easier and ensure on-going protection.
Steven Hardwick manages security for pre-payments provider Oxygen Financial, a Euro-founded company now extending its services to North American IT operations.