CIOs are under extreme compliance pressures today. Not only are they charged with increasing employee productivity
and protecting their network against data theft, but they are also being asked to document every aspect of IT compliance.
Due to all the extra work from compliance, some CIOs have been tempted to hire third-party consulting firms, such as Accenture Ltd. or Deloitte & Touche LLP, to gain an independent view of their IT compliance and security posture and take care of some of their workload. However, these third-party groups also come with a disclaimer waiving them from any legal responsibility if the results of their audit are examined for legal purposes.
Compliance requires the acceptance of legal responsibility. So why would you spend so much money on external auditors who are supposed to help you in this process, when they won't accept responsibility for their work product or your audit?
Another option, with many benefits, is to handle your audits internally. Self-assessment tends to be a more responsible and cost-effective way to create proof of best practices and a solid foundation for compliance. This method dramatically reduces the risk of downtime, noncompliance, a fine or a successful damages suit.
If you are considering self-assessment, you'll need to create a plan of action and set quarterly expectations and milestones. You'll need to establish your own internal compliance goals, a documented process that you'll require your employees to follow and a way to measure performance against the following goals:
If you are concerned with a particular regulation, have you read it to see how it affects IT requirements? For example, if you wish to comply with Visa PCI, you can download a self-assessment questionnaire from Visa. This questionnaire will help you understand the goals you'll need to set for PCI compliance. If you are concerned with another regulation, such as the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act or Sarbanes-Oxley Act, you might consider reading the regulation in detail. However, to save yourself some time and energy, the three things you can set for your compliance goals are your own best practices for confidentiality of customer records and trade secrets; integrity of the network, data center and telecommunications systems; and availability of power, network, data center and telecommunications systems.
Process documentation is important for due diligence. There are various models available such as COBIT or ISO 17799. Others are freely available for various aspects of compliance, such as Security Technical Information Guides from NIST.gov, or compliance checklists from SANS.org. Your process documentation should answer the questions of how you are ensuring confidentiality, integrity and availability.
Measuring performance is important for due care. During the process of evaluating your performance toward compliance, through self-assessment you will find weak spots. For example, it's important for the human resource staff members to perform thorough background checks on employees, but in measuring performance they may not be doing enough. Or in ensuring integrity of the network, employees are asked not to stream music and videos over the Internet. In your process documentation, an acceptable use policy was established and during a performance evaluation policy violations were found. It's important to have upper-management support on regularly scheduled performance measurements as an integral part of self-assessment. Quarterly reviews should be sufficient.
In setting compliance goals, you'll be better prepared to justify the time and energy that you and your staff will need to invest into your organization. The results will include documentation of the tools and techniques you are using to enhance your security posture. Over time, you'll be able to see constant improvement in the quality of your network and IT resources. By consistently measuring performance, it will be easier to prove that you are taking proper steps in regards to regulatory compliance.
You will not only save hundreds of thousands of dollars, but you'll also take responsibility that would ultimately be yours in the event of a breach. Self-assessment provides a more cost-effective process at documenting best practices for regulatory compliance above and beyond what external consultants and auditors will ever accomplish.
Gary Miliefsky is a CISSP, founding member of the U.S. Department of Homeland Security and a member of the Board of Directors of NEISG.org. He is also founder and chief technology officer of Bedford, Mass.-based NetClarity and can be reached at searchCIO@netclarity.net.