[ISN] Mapping Compliance Proof To Risk-Based Controls

http://www.darkreading.com/compliance/mapping-compliance-proof-to-risk-based-c/240155092 By Ericka Chickowski Dark Reading May 17, 2013 For years now, the risk management gurus of the world have lamented the scourge of check-box compliance, urging organizations to make more security decisions based on sound risk management. The philosophy is that risk-based decisions generally yield more compliant environments: if an organization manages its risks, then compliance will naturally fall into place. It’s a sound idea, but when organizations flip their world view from check-box compliance to risk-first decision-making, there’s bound to be times when an organization may be managing most risks well but still falls short of compliance requirements. In some cases, the organization has not documented mitigation measures well enough for the auditors yet and in others they are not quite totally compliant yet. “Controls that are implemented solely to manage a risk, and not related to a compliance requirement, are focused on minimizing exposure to risks that will affect the business,” says Steve Schlarman, eGRC Solutions Manager at RSA. “So risk management and compliance are not always equal. Therefore mapping controls to both risks and compliance requirements is necessary.” Taking a step back, though, before getting into how to do the mapping some security experts say it is important to remember that while check-box compliance may be a no-no, that doesn’t mean organizations should treat compliance concerns lightly. They just have to remember that the threat of non-compliance is just a subset of an organization’s overall risk profile. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org