Overall, information technology compliance regulations are designed to provide “frameworks” to guide organizations to better protect (1) critical information stored electronically and/or (2) assets controlled by information technology. Examples:
- PCI DSS – credit card information
- Sarbanes-Oxley – the integrity of financial information
- GLBA – bank customers’ non-public personal information
- NERC CIP - reliability of the North American electrical grid
- HIPAA/HITECH to protect the privacy of patient information
- MA 201 CMR 17 to protect the personal information of the citizens of the Commonwealth of Massachusetts.
Organizations impacted by regulatory compliance requirements have no choice but to incorporate these regulations into their security policies and into their budgets for security investments.
However, in our view, we must recognize that these regulations represent a “floor” not a ceiling for information security. Why?
- Compliance requirements are negotiated by committees and tend to include only those requirements on which they can all agree
- Compliance requirements are only updated every several years and therefore they fall behind the threat curve in times of rapid technological change
Therefore our approach is to integrate compliance requirements with the Cymbel enhanced SANS 20 Critical Security Controls for Effective Cyber Defense. In other words, “Security done right will yield compliance for free, Compliance for compliance sake will always deliver more problems in the end.”