Published:
January 26 2010, 09:05 AM
by
Mike Hoefgen
The Problem
The Chief Information Security Officer (CISO) is given the mandate to ensure the IT department is compliant with these four authority documents: SOX, COBIT, PCI and ISO 27001.
The OLD Answer
The CISO reads and analyzes each of these documents and identifies the “thou must…” and “thou shall…” citations from each of these documents. He then uses that information to create a list of IT controls (activities) that must be implemented. How long would this take? Our CISO will have to read and study 448 pages and identify nearly 600 citations (yes, the citation number is accurate; I used the shortcut!).
Our CISO is not done yet, he has four lists of controls, one for each authority document. Looking at the four lists he sees duplicates between them. For example COBIT, PCI and ISO 27001 require management of cryptographic keys, so one properly implemented control can satisfy all three frameworks. He will have to review over 700 controls looking for duplicates (yes, the number of controls is accurate, I used the shortcut).
Obviously, this is a fictitious example. In practice, compliance with these regulations would be divided into separate groups (silos) within the organization. Each group would be assigned to at least one regulation. This situation makes the rationalization of the controls even more challenging because more groups increase the communication and collaboration challenges.
The SHORTCUT
Take the shortcut by leveraging two years worth of work from a team of linguists, lawyers, compliance experts and practitioners. The product they created is called the Unified Compliance Framework (UCF) and it is quickly becoming the “Holy Grail” in GRC circles.
The UCF rationalizes IT controls from over 400 regulatory requirements, standards and guidelines into a single set of straightforward controls that clearly shows where global, state and industry regulations overlap, which dramatically reduces time, effort and cost associated with regulatory compliance efforts. At this point, you might be thinking this is great, but what happens when the regulations are revised? The UCF is updated on a regular basis. For example the Q4 2009 release includes 53 new or updated Authority Documents.
The table below illustrates our compliance example. Working with the UCF inside CA GRC Manager, I was able to dig up this information in an hour. That is a tremendous time savings when compared to the tasks our fictitious CISO had to perform. The UCF lists specific citations for each of the authority documents and their related controls. The critical point is that the controls have already been rationalized from 706 to 558. That’s a 20% reduction when compared to the “old” way of doing things with separate people listing controls for their specific authority document.
The UCF can also be used to map your existing controls to authority documents. All you need to do is find a matching control in the UCF, then you can see all the regulations that could be satisfied by your ONE control.
In a recent article on the topic, Paul Roberts, senior analyst with The 451 Group, says companies that are bound by many requirements can identify areas that overlap and thus reduce their compliance costs by taking a "fix once, comply many" approach that will streamline internal audits and reduce capital expenditures.
At CA, we have incorporated the Unified Compliance Framework into our CA GRC Manager solution and extended the mapping capabilities significantly. In addition to mapping your controls to the regulatory requirements, you can also map your risks, policies, business units, business processes and business objectives. That mapping helps you identify different aspects of your business that are affected when a control test fails. You will quickly see all the relationships with that control and therefore can take appropriate action.
Management is always looking for ways to reduce expenses and get more for less. The UCF can provide a good foundation that can help to reduce the total number of controls that you have to deal with, thereby simplifying management and reducing total compliance costs – an important benefit, to say the least.