Doing so will help organisations ensure that they are constantly on their toes, seeking to improve security posture, and it will also promote better collaboration across the industry. IT professionals have traditionally excelled at sharing information and expertise on a personal level, but we have to begin sharing information at the organisational level to develop collective strength against shared threats. Regulatory bodies will also hopefully step up to participate more fully in this free exchange, which will affect both what it takes to be compliant and what it means to be compliant.
3. Continuous compliance results in increasing complexity, but it can be worth it
To aid in closing the gap between being compliant and actually being secure, many organisations are moving towards a continuous compliance model to help reduce and limit exposure to compliance and security risks.
Continuous compliance involves constantly reviewing processes and quickly making any necessary updates as a result of deviations from their intended performance. However, despite the fact that continuous compliance is effective at eliminating the gaps between compliance and security, it also greatly increases the complexity of managing compliance.
In addition, here are several specific best practices that can help you on your compliance journey:
- Thoroughly document processes, policies and procedures: Documentation is a crucial component of compliance, but it is often the most neglected aspect. Creating comprehensive, in-depth documentation will be beneficial beyond an audit. Compliance is an ongoing process, so it's important to always keep documents and information current by scheduling time to review and revise documentation throughout the year.
- Clearly understand compliance requirements for your industry: Every regulated industry is different. Regardless of which flavor of compliance your organization follows-PCI DSS, HIPAA custom corporate policies or government policies-it's imperative to understand what exactly is required. Remember, some compliance requirements are clearly defined while others provide only vague guidelines.
- Monitor devices and systems for compliance: Once proper documentation and a clear understanding of your industry's requirements is achieved, the next step is to identify which devices, systems, applications and data must be monitored for compliance.
- Continuously review policies and procedures: Reviewing policies and procedures on an ongoing basis and then comparing them with the most updated requirements helps overcome the fear and stress that often accompany audits.
- Automate processes wherever possible: When dealing with an immense amount of data, reviewing audit trails can be a long and challenging task. By automating wherever possible, workloads will be decreased and processes simplified. Security information and event management (SIEM) and other log solutions can play an important role in automating many compliance-related tasks and processes, along with providing important alerting functionality.
Sign up for Computerworld eNewsletters.