Due to the increased reliance on information technology (IT) and digital content, the value of information assets have increased significantly. Organizations depend mainly on IT to provide standard operating environment for conducting business activities. As a result, controlling risks to personal information via enhanced proper security controls has become a critical subject. Moreover, the failure to defend valuable & critical information can certainly result in high financial and public cost and may also cause disruption of business activities.
To comply with security practices, enterprises must not only develop comprehensive information security programs but also manage effectively security procedures and controls. In case organizations fail to approach information security compliance in a systematic and integrated way, this results in incomplete, redundant or expensive security controls and procedures.
Although the use of security standards targets the establishment of specific countermeasures and safeguard policies, it is rarely specified which type of enterprise is compatible with particular security practices (e.g. ISO 17799 or NIST 800 series). As a result, the need for compliance has caused many misfits within the organizational society and the most profound reasons are the ambiguous compatibility of security standards, the increased cost towards compliance and the requirement for the certification of security standards.
The main purpose of this paper is to explore the challenges that compliance management face on the grounds of ambivalent compatibility, compliance cost and certification procedures to improve the efficiency and effectiveness of managed IT service standards.
The success of a security compliance program depends on whether the staff can adapt to a well defined security framework. Way back in 1988 Gasser wrote, “The problem is people, not computers” which means that information security professionals need to realize that they are factors inside the equation that creates poor security compliance.
Given the abundance of security guidelines and standards, IT departments find themselves surrounded by a plethora of rules being initiated from different authorities, each of which may have a legitimate responsibility on certain business activities. Consequently, the real issue begins when other organizations establish rules for enterprise operations.
Each organization is different in structure and security requirements; therefore, information security compliance depends on whether customized policies and procedures can adapt to current or future security regulation and business environment. The security compliance process should be able to review technical, psychical and administrative security practices and explicitly define how security policies and procedures are to be implemented and integrated with the current security and business activities and also how well business units’ work together to ensure that information security practices are harmonized and consistent.
The organization information security program must ensure that all system users understand and follow information security practices and to manage that, a risk analysis assessment procedure should take place to gather, analyses and identify risks and the selection criteria prior to installing security practices.
TO BE OR NOT TO BE COMPLIANT?
Compliance in information security requires a team effort that reaches from the highest levels of hierarchy (usually the CEO or Board) to the lowest level (employees) of workforce who are using the end results of the compliant components. The decision to adjust to a security framework depends heavily on the organizational management and transparency of operations. To reduce compliance costs while strengthening security, organizations should automate much of the security activity while keeping continuous human monitoring. This is because compliance controls are a mixture of software programmed processes and human procedures so in order to make the compliance program less costly in time and money requires the integration of business processes within the information security compliance control.
TOWARDS A UNIFIED APPROACH
A growing trend within the business and IT professionals is the recognition that to effectively manage the IT environment, there needs to be a move away from a sole security approach towards an integrated framework of best security practices and procedures. Organizations making current investments in ITIL, ISO and COBIT are often subject to significantly greater levels of external compliance pressure from those who choose to focus on a single set of security practices. Nevertheless, by its very nature, security practices and standards adherence is an unachievable goal and at the same time a continuous organizational commitment and procedure.
Security countermeasures and safeguards are considered optimal when analyzing risk in the context of the business goals and the outcome of risk analysis has a positive return on investment (ROI). To fulfil compliance goals, a unified approach to information security compliance needs to become the guiding influence for ensuring that all the different security domains work together in a holistic and synergistic manner, in configuration with the business objectives.
Nothing is perfect, especially in security, thus the compliance process should be regularly monitored, tested, reviewed and modified against emerging risks and evolving threats. The certification approval is a fundamental part of the unified process and has the role to confirm knowledge in information security systems and assurance. Information assurance is meant to be a secure development process which ensures that product security standards are state-of-the-art and applied consistently throughout the organization.
The increased challenges towards information security compliance have caused serious incentives to implement comprehensive information security practices. A credible method of securing information assets is the successful use of multiple frameworks which indeed require business, IT and human cooperation. This is because security applies in all organization areas and affects operational procedures (Business Processes) from different viewpoints. By adopting a unified approach to information security compliance, business institutions are expected to successfully manage the growing number of ongoing security risks because it is believed to create synergetic and stronger compliance efforts along with more consistent measurement, self-assessment and audit reporting.