Organizations struggle with a complex information security compliance program needs placed upon the organization. Mature organizations participate in regular self review and improvement activities on an annual basis, and in some organizations as regular as monthly. These organizations are fortunate to have larger security teams that reflect the global (think Fortune 500) deployment of assets. This network provides an immensely valuable feedback loop on the following, among many others:
- What are effective practices
- What policies are great for the business, and where are exceptions being raised frequently that may indicate unknown business requirements
- Attack patterns and weaknesses in the security program based on statistical review of events within the business
- Where are programs meeting customer / client requirements – based on sales attributions and audit findings, respectively.
For organizations of this sophistication and those of all other sizes there is an additional input that raises the overall efficiency and effectiveness of the security compliance program. That is through a self comparison against public data. Specifically data released by government audits, intelligence committee reports, and guidances / complaints issued by government enforcement agencies. These are immensely helpful in providing businesses across all sectors insights into security threats, trends, shifting perceptions of “due care”, and areas where risks are ebbing and flowing.
A simple set that an organization may consider includes:
- Office of the Inspector General and the Government Accountability Office reports (such as Threats Facing Nation report, 4/2012 publication date)
- Data sent to the US Computer Emergency Readiness Team (US-CERT).
- The Department of Veterans Affairs publishes the information security reports (i.e., FISMA FY2011 report)
- Published government reports (such as best practices like the Australian Defense practices document)
- ISACA and IIA published guidances
- FSA, FTC, and common law court cases
The takeaway here is that every organization should regularly identify these sources, consolidate them in a manner that can be analyzed, and develop an intelligence report on any gaps in practice and security controls as documented by these organizations. These apply to every organization and not simply those in the government space. The process of careful analysis against the organization’s strategy combined with the rote knowledge of the practitioners internally can support realizing these benefits.
The genesis of this article was inspired through close workings with Fortune 50 organizations and developing leading global security programs. A nice article illuminating this and other opportunities for improvements to security compliance programs is by Adam Shostack, in “The evolution of information security“. A very good read.
Thoughts .. and expansions of idea are always welcome!
James DeLuccia IV