Seven Recommendations for a New Era of Compliance
Take a more proactive approach to managing the complexity of compliance.
There's a lot of focus on compliance issues such as the Payment Card Industry Data Security Standard (PCI DSS) 2.0 specification. But at the end of the day, every example of a compliance requirement facing any IT department these days is directly related to how effective their governance policies actually are.
As it relates specifically to PCI DSS 2.0, EMC today expanded its consulting services to walk companies through what, exactly, they need to master the requirements of a specification that is still open to interpretation. For example, the specification says companies should take a "risk-based" approach to securing credit card data, but it doesn't say anything about how to define that risk.
According to Branden Williams, director at RSA, the security division of EMC, the services EMC will provide consist of first helping to define a PCI DSS 2.0 strategy, helping to determine an organization's PCI DSS 2.0 readiness and, finally, helping to perform a forensics exam in the event of an actual breach.
But when you peel it all back, Williams says EMC really wants companies to focus on creating data governance strategies that are based on policies. Once those are in place, the ability to handle any number of compliance requirements becomes an inherent part of the system.
That means that instead of thinking in terms of complying with any given specification by working their way up from a specific set of controls that need to be implemented, companies are far better off creating a true governance process that would create a series of controls that could be reused to meet multiple compliance requirements.
In the case of PCI DSS 2.0, Williams says EMC is trying to give companies not only confidence in their ability to meet with base requirements, but in their data governance strategy as a whole.