Mapping Compliance Proof To Risk-Based Controls

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/compliance/mapping-compliance-proof-to-risk-based-c/240155092

By Ericka Chickowski
Dark Reading
May 17, 2013

For years now, the risk management gurus of the world have lamented the 
scourge of check-box compliance, urging organizations to make more 
security decisions based on sound risk management. The philosophy is 
that risk-based decisions generally yield more compliant environments: 
if an organization manages its risks, then compliance will naturally 
fall into place.

It's a sound idea, but when organizations flip their world view from 
check-box compliance to risk-first decision-making, there's bound to be 
times when an organization may be managing most risks well but still 
falls short of compliance requirements. In some cases, the organization 
has not documented mitigation measures well enough for the auditors yet 
and in others they are not quite totally compliant yet.

"Controls that are implemented solely to manage a risk, and not related 
to a compliance requirement, are focused on minimizing exposure to risks 
that will affect the business," says Steve Schlarman, eGRC Solutions 
Manager at RSA. "So risk management and compliance are not always equal. 
Therefore mapping controls to both risks and compliance requirements is 
necessary."

Taking a step back, though, before getting into how to do the mapping 
some security experts say it is important to remember that while 
check-box compliance may be a no-no, that doesn't mean organizations 
should treat compliance concerns lightly. They just have to remember 
that the threat of non-compliance is just a subset of an organization's 
overall risk profile.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org