As complying with regulations continues to get more complex, IT organizations need to take a more proactive approach to managing compliance. What follows are seven recommendations for managing compliance that have been compiled by the Security for Business Innovation Council, a group of senior IT executives brought together by RSA, a division of EMC, to create ongoing reports on the state of security in the enterprise.
Click through for seven recommendations from RSA, a division of EMC, for managing the increasingly complex world of compliance.
Information risk management is “identifying and measuring the risks to information and ensuring that the security controls implemented keep those risks at an acceptable level to protect and enable the business.” An acceptable level of risk is determined by an organization’s appetite for risk.
Most organizations today face multiple regulations regarding information protection. It is inefficient and unsustainable to manage compliance by maintaining a separate list of requirements for every regulation.
Determining the “right” level of security controls to meet compliance requirements and business objectives is complex. Ultimately it is a judgment call that considers security and legal risks. A critical aspect of these decisions is asking what would be deemed commercially “reasonable and appropriate.”
As a compliance program matures, organizations aim for creating efficiencies, streamlining processes and using more automated methods. At present most organizations still struggle with manual efforts. Moving to more automated methods can help not only reduce costs, but also increase consistency in reporting.
With regulations around the world extending responsibility for the security of data across the value chain, organizations need to develop a solid third-party strategy for mitigating risks throughout the extended enterprise. Enterprises can no longer rely solely on agreements and contracts and must take a more active role in verifying that their partner’s capabilities are up to the required standards.
In the past, compliance was often seen as the security and compliance teams’ responsibility and it was an isolated function. Now a fundamental shift is taking place in many organizations. Compliance is increasingly recognized as an essential component of doing business.
After a decade of experience complying with information protection regulations, organizations have a wealth of knowledge of what works and what is not effective. It is widely recognized that although regulators for the most part have benign intentions, they don’t understand the “real world” environment and the complexity of implementation.