Wednesday, August 1

Livin La Vida Compliant

I just read a compelling white paper that I found on the IT Compliance Institute site. The theory behind the paper complements what I wrote in March of 2006 about the Identity Management Project Continuum:
Implementing IdM is not a single project. Nor is it even a few stand-alone projects. I call it a continuum.
I also mentioned others who called Identity Management a lifestyle. Compliance should be thought of in the same way. When a company aligns IT with good security practices and lives it on a daily basis, compliance happens by default. If you try to shift an entire organization into information security compliance to meet a particular audit or react to a breach, you're going to have your work cut out for you. And you're going to feel like a mouse in a wheel never quite catching up to where you want to be.

The paper encourages organizations to "adopt a culture of continuous risk management". It's worth a read for organizations who want to understand how to achieve some level of compliance -- or maybe just to minimize their overall level of risk.

In Dave Kearns' Network World newsletter today, he mentions an old truism that you should "make the cost of pilfering an asset higher than its value while keeping the cost of protecting the asset lower than the cost of replacing it." There's some truth to that -- it's a juggling act. Luckily, good security practices span across assets making the cost of security minimal on a per-asset basis. But, I think Dave's point fits nicely with the ideas above. Getting your organization into a culture of compliance will enable you to balance cost with risk and make your long-term security costs more predictable. And when regulations and compliance rules change, you'll be ready.

1 comment:

Unknown said...

Hi Matt,

I couldn't agree more. My company is in its very early stages of IdM, and the line I preach is that IdM isnt' a single project, but a program consisting of many projects that eventually should mature into an operational focus that touches every aspect of our organization. Disciplines like ITIL, CMM, and SDLC all embrace this idea in some fashion.

I enjoy reading your blog. Keep up the good work.

Lance Peterman
Compass Group, Americas