Most Popular Posts

Subscribe by Email

Your email:

Browse by Tag

About the Risk Intelligence Blog

The Evantix Blog offers insight, tips and intelligence from leading risk authorities in enterprise vendor risk management and compliance.

Managing Vendor Risk, Performance and Compliance just got a whole lot easier || Evantix Risk & Compliance Portal ™  delivers a low cost high value solution to managing Vendor Exposure, Performance, Regulatory Compliance, Privacy and Information Risk across your entire portfolio of vendors and suppliers.

Risk Intelligence Blog

Current Articles | RSS Feed RSS Feed

Using Compliance Tools to Make Regulators Your Friend

Posted by Rene Barraza on Wed, Aug 11, 2010 @ 10:29 AM
  
  
Add to delicious  delicious  
  
compliance toolsCompanies often think of regulators as boogiemen.  They dread the days when regulators arrive, fearing unforeseen issues will be identified that may cause brand damage or other management issues.  It’s unfortunate and unnecessary.

Smart companies have learned that regulators don’t have to be the bad guy.  In fact, they’ve found ways to leverage compliance tools to make regulators their friends.

Understanding Regulators

The foundation to making regulators your friends is to know their processes.  By clearly understand both what they are evaluating and the logic to their process, you can better prepare yourself for an audit—and make your relationship much more pleasant. 

Look at bank examiners.  They are focused on the safety and soundness of the bank.  Underneath this umbrella are system security controls.  Since you know bank risk controls are designed to guarantee the safety and soundness of the bank, you have a better understand of how examiners will approach their audits. 

Another good examples is the PCI-DSS audit guidelines. When preparing for an audit, focus on the PCI audit guidelines rather than PCI itself.  They clearly articulate what’s required by the auditors.  

By understanding the process and focusing on relevant guidelines, you’ll maintain compliance and build a strong friendship with the auditor—you just made their task a lot easier!

Trust But Verify

Information security has the made the transition from “you’re secure, I trust you” to “trust but verify.”  As a result, regulators are looking for demonstrability, so you want to be able to transparently demonstrate proof of controls when the auditors arrive.  Compliance tools are key to ensuring this.

If you were dinged last year for a weakness, make sure you can show three things:

  1.  Policy: You have documented policy that mandates the control
  2. Process: You have a process supporting this policy that ensures control is operational and up to date
  3. Verify: You have transparent and demonstrable way to verify the control is working

While many companies treat compliance tools like a temple—the more sacrifices, the better we are—keep in mind the goal.  You know you’ve found a friend when a regulator asks to use your documentation as examples for others.  And that builds your reputation for being secure.

Photo credit: tashland

About the Author: James M. Anderson is President of Professional Assurance, LLC, an advanced enterprise security consultancy.  Over his 30-year career, he has served as Vice President, Global Information Security Services for Visa, head of the information security unit of Morgan Stanley and as Director of Security and Information Services at Lexis-Nexis, Inc.  He holds the CISSP, CISM and CGEIT certifications.  You can follow his writing on the Evantix blog or connect with him on LinkedIn.

 

 

Tags: , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics