Compliance Challenge #6: Unique Business Requirements
Many organizations believe they can address compliance requirements using high-level frameworks including NIST's Framework for Improving Critical Infrastructure Cybersecurity or SANS Institute's Top 20 Critical Security Controls (which is actually 246 direct controls, not 20). High-level frameworks require organizations to fill in the blanks using more prescriptive controls from other authority documents, whether laws, standards, or contractual obligations like PCI.
Organizations must determine which implementation controls must be in place to meet their specific requirements. This can be done by leveraging a framework that aggregates all disparate cybersecurity regulations into one database, allowing them to create a concise, harmonized list of necessary compliance controls to implement.
Companies are struggling to understand and implement the right policies and controls to meet ever-evolving compliance mandates. Yet strict adherence to individual compliance standards means they've likely implemented controls they do not need, while inadvertently leaving out important controls necessary for an effective program. This cookie-cutter approach can actually leave organizations more exposed than ever before to potential security risks and controls failures.
In this slideshow,Unified Compliance CEO, Craig Isaacs, explores current compliance gaps, major compliance challenges and practical tips to create more effective compliance programs.