Copyright 2007 ISACA. All rights reserved. www.isaca.org.

Turning a Security Compliance Program Into a Competitive Business Advantage

By Sekar Sethuraman, CISA, CISM, CIA, CISSP, PGDM (IIMC), CSQA, BS 7799 LA, ISO 20000 Auditor

n todays global economy, business organizations are required to comply with regulations from many countries by virtue of their global presence and/or their serving of customers outside of their country of operations. Some regulations impact them directly, while many others impact them as expectations from customers. For example, a business organization operating from a country and serving a customer in a different country must comply with the relevant laws and regulations of both countries. With stringent penalties for noncompliance, customers are increasingly making their compliance expectations explicit in their contracts. Many laws and regulations have important implications on information security controls and thereby make the security compliance program a priority for an organization. This article discusses an approach to set up an effective security compliance program that can result in long-term competitive business advantage.

Base the Security Compliance Program on a Framework

The number of regulations with which businesses must comply is already significant and is only increasing. Businesses will benefit from recognizing the commonalities of the many regulations, setting up security controls that fulfill a number of regulations and approaching the effort in a systematic manner through the use of a framework. Examples of popular frameworks/standards are the framework of Committee for the Sponsoring Organizations of the Treadway Commission (COSO) (which emphasizes overall internal controls), the International Organization for Standardization (ISO) ISO 17799 (which emphasizes information security), the IT Infrastructure Library (ITIL) framework (which emphasizes IT service practices) and Control Objectives for Information and related Technology (COBIT) (which emphasizes IT governance). Organizations that have already adopted standards and frameworks such as ISO 9001 and the Software Engineering Institutes Capability Maturity Model Integration (CMMI) should use the existing controls as much as possible and enhance the controls, where necessary, as they set up new systems. Based on business priorities, an organization may select a single framework or multiple frameworks, or even set up a custom framework derived from these frameworks. There are many strategic advantages of this frameworkbased approach: Frameworks provide a structured approach to the solution as follows: Framework-based approaches consider security requirements for the regulatory compliance requirements
JOURNALONLINE

among the key inputs for setting up the information security management system (ISMS). Such an approach usually requires mapping the regulatory requirements to the controls in the framework and then implementing the ISMS incorporating the controls. This approach also enables due consideration to be given to other requirements, such as customer requirements, internal business requirements and industry norms. A framework provides structure and stability, and implementation of a framework generally results in greater levels of process orientation within the organization and leads to many operational benefits. Most common methodologies of implementation of ISMS using a framework emphasize the extensive involvement of all the stakeholders and invariably stress management commitment and support, which are critical for success. A framework-based approach usually facilitates the systematic setup of a continuous improvement process accommodating changes in regulations and incorporating new regulations as they become applicable. Many frameworks have associated standards and/or certification (e.g., ISO 27001 with ISO 17799 or ISO 20000 with ITIL). Such certifications give substantial credibility and independent ongoing verification. Frameworks provide a common language for the business processes, which is useful if the organization interacts with global customers and suppliers who have also adopted these frameworks for their compliance efforts. Frameworks have evolved out of best practices and experiences of numerous organizations from many parts of the world. Therefore, they help businesses identify practices that make the organization more successful, especially in the current global context.

Use a Sound Risk Management Methodology

Return on investment for security compliance expenditure is not as easy to justify as it may be for investments in plants and machinery. Failure to fulfill the security compliance requirements, however, is likely to result in risks, such as: Security incidents, embarrassments and associated losses Penalties from failure to meet regulatory requirements Embarrassments and lost opportunities from failure to meet obligations to customers Establishing and maintaining controls to mitigate these risks involve costs. A prudent business executive would benefit from
1

adopting the appropriate risk management methodology for the enterprise, assessing and treating the risks with appropriate controls (and thereby bringing them within acceptable levels based on cost-effectiveness) and by managing the risks on an ongoing basis. Compliance itself should be viewed as a risk that must be managed the same as all other risks to the business.1 Business requirements are the drivers used to justify the entire risk management program. Figure 1 shows all the aspects mentioned previously and the resulting ISMS.2

Make Security Compliance Strategy Part of the Regular Business Strategy and Annual Plans
No organization can fulfill compliance requirements instantly. An initial compliance project could, for example, take an organization from an initial state to a desired state as shown in figure 2, with the desired state having been decided upon by business priorities. Further efforts are required not only to maintain the state reached (desired), but also to improve the position. Therefore, it is necessary for the organizations regular business plan to provide ways of maintaining compliance and ensuring continuous improvement on this front.

Figure 1Information Security Management System

Regulatory Requirements Customer Expectations Industry Norms Internal Business Demands

Business Policy of the Organization

Risk Management Methodology

Control Objectives and Controls From the Frameworks (as chosen by the organization)

COBIT

ITIL ISO 17799/ ISO 27001

Information Security Controls

Policies

Standards

Guidelines

Procedures

Note: This is just a sketch for representation, not a comparision of frameworks.

JOURNAL ONLINE

Figure 2Current vs. Desired State

Maturity Level in the Organization

Figure 3IT Security Governance3

Optimized Security

3. Perform Active Monitoring

DESIRED

Managed and Measurable

2. Build Security Defenses 1. Issue Security Policy 4. Perform Intrusion Testing

Defined Process

Repeatable but Intuitive

5. Security Management

CURRENT

Initial/Ad Hoc
Source: CISM Review Manual 2005. 2004 Information Systems Audit and Control Association (ISACA). All rights reserved.

Nonexistent Security

This could also mean that the compliance program should be suitably integrated with the strategy of the organization for other management systems, such as a quality management system, and certifications. The organization should pursue certification against standards such ISO 27001 for the ISMS wherever business demands justify.

Establish a Metrics Program to Support the Security Compliance Initiative

Spending on IT security does not always improve security performance. Rather, it is the effectiveness of the security compliance program that leads to better results. Doing the right thing is extremely important for the success of the compliance program. What gets measured gets done is true of information security compliance as well. Hence, to be effective, the organization would greatly benefit from establishing appropriate measurements and metrics that can help in assessing and enhancing the health of the compliance program. Measurements provide single point-in-time views of specific, discrete factors, while metrics are derived by comparing two or more measurements taken over time to a predetermined baseline.4 Measurements are generated by counting, while metrics are derived from analysis.5 In other words, measurements are objective raw data, and metrics are either objective or subjective human interpretation of those data.6 A select set of metrics can be identified, tracked and reported on consistently to help determine answers for the following questions:7 1. Are we doing what we should be doing? Metrics in this category help in discerning the gap between the current state and the needed end state, presumably a low-risk stage. Metrics in this category help in ongoing improvement of the implemented ISMS. 2. Are we doing what we say we are doing? Metrics in this category help in discerning the gap between end-user behavior and the organizational policy. Metrics in this category help in driving the accountability for risk of noncompliance. These metrics can be used to report the progress of the information security/compliance program by means of
3

Integrate the Security Compliance Program Into a Governance Framework

Information security governance involves the development and integration of a management structure and organization with reporting processes that encompass all aspects of a successful security program and will provide assurance to business management that risks are defined and appropriately managed.3 Information security governance is essentially the responsibility of top management. Figure 3 shows the elements of information security governance, including continuous monitoring and testing of the processes, practices, infrastructure and environment for vulnerabilities, and the provision of the required response in terms of appropriate security remediation through the information security management function, improved defenses, effective controls and change policies, and standards. Successfully establishing suitable information security governance in the organization is crucial for success in compliance. This would require the direct ownership for the compliance program to be with the top management. While regulatory pressures and customer demands often heighten the awareness, attention and support for the initial project, ongoing support is ensured only when the compliance program becomes an inherent part of the organizations governance framework.

JOURNAL ONLINE

scorecards, including balanced scorecards. The chief information security officer and/or compliance professional can use these to demonstrate to the board the value of the compliance program and to answer often-posed questions8 such as: Are we meeting the security compliance requirements better than in the past? How do we compare with others in this regard? Are we secure and meeting compliance needs sufficiently?

Engage Process Owners and Make the Process as Self-governing as Possible

More and more regulations are holding the chief executive officer and chief financial officer personally liable for noncompliance; therefore, it is necessary that organizations set up processes whereby the accountability for compliance becomes part of the culture in the organization. Such efforts will include: Setting up an appropriate reporting and visual display system and using the intranet and internal newsletters to enhance the awareness of the progress and continued importance of the program Establishing an effective self-assessment by process owners and automating the process to ensure that this is done routinely

Figures 4 and 5 show the results of self-assessments/audits carried out using software that enables administration of a predefined questionnaire to all the stakeholders on a periodic basis and subsequent consolidation and analysis. Such a self-assessment process can help engage all stakeholders, lead to corrective and preventive actions becoming routine and, thereby, result in better compliance levels. When this is done in conjunction with an effective internal audit and controls testing process, the result is sustained and successful compliance in the organization.

People Are Key to the Compliance Program

A successful security compliance program is a function of people, process and technology. In many cases, it is the people component that becomes crucial for the success of the overall program, as a capable and motivated team of people can exhibit the correct human behavior and consequently make the right decisions and take action at the right time. In particular, the culture of the people has important implications on the success and the costs of the program. In this respect, it is important to note the following: When individuals take action because they consider themselves accountable, the driving factor is the external stimuli making them feel answerable and, hence,

Figure 4Example Security Compliance Dashboard

Overall Compliance Security Policy Organization of Information Security Asset Management

Compliance is 35%.

Compliance is 57%.

Compliance is 0%.

Compliance is 0%.

Human Resources Security

Physical and Environmental Security Communications and Operations Management

Access Control

Compliance is 0%.

Compliance is 100%.

Compliance is 0%.

Compliance is 0%.

Information Systems Acquisition

Information Security Incident Management

Business Continuity Management

Compliance

Compliance is 55%.

Compliance is 55%.

Compliance is 100%.

Compliance is 44%.

View Compliance Details

JOURNAL ONLINE 4

Figure 5Branch-wise Comparison of Overall Compliance2

preventing them from doing things that may not be in line with expectations. When individuals take actions because they consider themselves responsible, the driver is their intrinsic desire and motivation to do the right thing. Developing a culture in which people feel driven by being accountable would mean that the accountability of top management for security compliance is extended across the organization. Developing a culture in which people feel driven by their need to exhibit responsible behavior would mean sustained and cost-effective security compliance. Responsible behavior comes from ownership and awareness to discern what is right and the knowledge to carry out the right action. Therefore, excellence in security awareness and appropriate security skills are goals to be pursued aggressively.

Establish a Continuous Improvement Process

The overall compliance management process must reach a continuous improvement state, with improvements on the various aspects enhancing the: Appropriate use of the framework for compliance Correct application of an appropriate risk management methodology
JOURNAL ONLINE

Integration of the compliance strategy with the business strategy and annual plans Integration of the compliance program with the overall governance framework Appropriate metrics program for the compliance initiative Participation of process owners in the compliance program and the extent of the self-governing nature of the program Involvement of the people in the overall program The extent to which continuous improvement is realized on all the above as a routine Figure 6 shows an example of a scorecard with quarter-toquarter progress for a typical organization as the process gets implemented. For the sake of simplicity, each of the criteria is assessed on a scale of 1 to 10, with 10 being the score for the complete and effective implementation and 1 being the score for the worst case. Equal weight is assumed for the various criteria. As a continuous improvement process gets established, the organization would be able to demonstrate increasing ability to readily fulfill the compliance requirements.

Conclusion
Regulatory compliance and, hence, security compliance are here to stay. Many organizations are increasingly realizing the ability to fulfill compliance requirements readily as a
5

Figure 6A Typical Compliance Process Scorecard

< 2006 > Q1 Q2 Q3 Q4 < 2007 > Q1 Q2* Q3* Q4* Forecast Forecast Forecast

Criterion Appropriate use of a relevant framework

Use of a sound risk management methodology 4 4 6 8 8 8 8 9

Integration of compliance strategy with business strategy 2 2 6 7 8 8 8 9

Integration of compliance program with governance framework Appropriate metrics program Self-governing nature of the compliance program

Culture of accountability and responsibility Establishment of a continuous improvement process

Remarks Forecast COBIT framework was chosen in 2006 Q2; implemented in 2006 Q3 and Q4; improved in 2007. An appropriate risk management methodology was selected in 2006 Q2; implemented in 2006 Q3 and Q4; improved in 2007. Compliance strategy became part of business strategy in 2006 Q3; reviewed along with business plans regularly from 2006 Q4 onward. Compliance program became integrated with a formal governance framework from 2006 Q4 onward. Metrics program was implemented in 2006 Q3 onward. A self-assessment methodology was piloted in 2006 Q3 and rolled out to the entire organization in 2006 Q4. Vigorous awareness drive was conducted from 2006 Q4 onward. A number of practices were set up to result in continuous improvements on all the aspects of the program from 2006 Q4 onward.

Overall score in percentage for the process

18.75

18.75

41.25

66.3

72.5

76.25

78.75

85

Note: Each of the criteria is assessed at the end of a quarter on a scale of 1 to 10; 10 is for the best possible case and 1 for the worst case. * 2007 Q2, Q3 and Q4 scores are forecasted scores based on the plans finalized.

competitive business strength. In such a scenario, diligent executives, instead of taking a reactive approach, will do well by making their compliance program systematic, making efforts to improve business processes, using the compliance initiatives and the money spent to establish an ongoing process for compliance and, thereby, turning the compliance program into a competitive business advantage.

Endnotes
Spafford, George; Regulatory Compliance and Security, 15 December 2005, http://itmanagement.earthweb.com/ columns/article.php/3571171 2 Sethuraman, Sekar; A.J. Vijayakumar; Enhancing Security Compliance of Your Distributed Operations by Selfassessment and Automation, ISSA Journal, July 2006
1

JOURNAL ONLINE

ISACA, CISM Review Manual 2005, USA, 2004, chapter 1 Frank, Diane; Agencies Seek Security Metrics, Federal Computer Week, 19 June 2000, www.fcw.com/fcw/articles/ 2000/0619/pol-metrics-06-19-00.asp 5 Jelen, George; SSE-CMM Security Metrics, NIST and CSSPAB Workshop, Washington DC, USA, 13-14 June 2000, http://csrc.nist.gov/csspab/june13-15/jelen.pdf 6 Payne, Shirley C.; A Guide to Metrics, SANS Security Essentials GSEC Practical Assignment, 21 July 2001 7 Opacki, Dennis; Building Business Unit Scorecards, www.adotout.com/BU_Scorecards.pdf, December 2005 8 Op. cit., Jelen
3 4

Sekar Sethuraman, CISA, CISM, CIA, CISSP, PGDM (IIMC), CSQA, BS 7799 LA, ISO 20000 Auditor is currently head of IT security (Greater Asia) at LexisNexis. He has more than 25 years of experience and has implemented information security systems for large organizations to fulfill the requirements of international standards such as ISO 17799, BS 7799 and ISO 27001. He has also helped many organizations set up effective incident response and business continuity processes. Sethuraman is the program director for the ISACA Chennai Chapter. He is a frequent speaker on various security topics, including measuring and managing the performance of information security, managing security in outsourcing, incident response, COBIT, ISMS and ISO 17799. He can be reached at sekar.sethuraman@lexisnexis.com.au.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. 2007 Information Systems Audit and Control Association. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JOURNAL ONLINE