This is cache of http://riskmanagementinsight.com/riskanalysis/?p=369. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Compliance is critical
2008-07-15 15:25:12 by JonesJ in RiskAnalys.is
 

Compliance has been getting a bad rap lately, and I’m here to set the record straight… compliance is CRITICAL.

Now, those of you who know me are probably picking your jaws up off the floor and asking whether I’ve suffered a stroke, have started drinking heavily, or have a gun pressed to my temple by a regulator or someone from the PCI lobby.  Nope.  I still have my full mental facilities (such as they are), and I make the statement without duress — however…

There’s compliance, and then there’s compliance

As usual, our profession tends to not be specific in our use of terms, which sets us up for confusion, inconsistency, and a host of other problems.  When I say “compliance is critical”, I don’t mean compliance with some external standard like PCI, ISO, or some hypothetical “best practice”.  I mean compliance with an organization’s own policies and standards.  Compliance with external standards has its place too (unfortunately), but we’ll pick that up in another post.

Think about it…

In most cases, if an organization was completely, 100% compliant with its own policies and standards, it would almost certainly have a much lower level of risk exposure than most other organizations.  In fact, in many cases a 100% compliant organization would be too secure to operate effectively.  In other words, the more significant problem isn’t typically a matter of how strong a policy is, it’s the variance from intended/desired state that’s described by policy.

In a perfect world…

The illustration below is intended to represent a “perfect world” condition, where all of the assets/systems/whatever are compliant with an organization’s policies/standards.  It also reflects the fact that there is no perfect security, and that the organization has wisely established its policies/standards with an acceptance of some degree of vulnerability (and thus, risk).

The real world tends to be much different

The illustration below represents a more likely condition, where controls applied to a population of assets/etc. tend to vary from what policy calls for.  It also reflects the effect that has on vulnerability, which in turn affects risk.

But we knew this already, right?

Yes, it’s true that 99.9% of us already know that variability exists and that it’s bad from a risk perspective — so what’s my point?  My point is that variance is one of the most important risk-related metrics we have available to us.  Here’s why…

As we see from the illustration above, variance from policy can be a strong indicator of an organization’s risk exposure.  At the same time, it’s also a marvelous indicator of an organization’s ability to manage risk (i.e., decision making capabilities and/or the ability to execute against decisions).  A little root cause analysis of a highly variant asset population can provide critical insights into what’s not working, which can lead to far more cost-effective risk management measures.

One example of where this could be applied is in the evaluation of a third party’s risk posture.  Rather than send a 60 page questionnaire, why not evaluate the organization’s compliance with its own policies across a cross-section of its information risk landscape.  I submit that it would provide a more accurate and useful picture of risk exposure and risk management capabilities than the typical questionnaire, at less cost/effort to both parties.

 
Tags: organizations risk exposure, risk exposure, risk, affects risk, compliance, ability, organizations ability, organizations, partys risk posture
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia