A research firm is spearheading an effort to provide organizations with a way to see how the IT controls they implement for security and compliance compare with those of industry peers.
The Consensus Controls project introduces the concept of peer review due care, said Brandon Dunlap, managing director of research at Houston-based Brightfly Inc. "The definition of due care is what a reasonable person in the same circumstances would do. A lot of people are introducing controls to achieve due care, but without context," he said.
It can be tricky for organizations to figure out appropriate controls to implement for complying with regulations such as HIPAA and SOX, he said. They often turn to frameworks like ISO 17799 or COBIT, but can wind up picking and choosing whatever controls "fit their risk appetite and they think can get them through an audit," Dunlap said. So finding the right balance can be a difficult and risky task.
"At the end of the day, organizations that spend more money on controls are way out there by themselves and taking money from shareholders because they're overdoing it," Dunlap said. "Conversely, if you're under doing it, you're probably going to get hit by a regulator or possibly a lawsuit."
The Consensus Controls project is designed to allow organizations to upload their spreadsheets of controls and compare them with their peers. For example, a health care company on the East Coast using a particular audit firm could compare its controls with other health care organizations in its area that use the same auditor. The information could arm a company with valuable data to work with auditors and executive boards, Dunlap said.
"We're trying to provide a level of consensus building around what is appropriate based on your organization, your geography and risk exposures," he said. "We're trying to get people to tear down walls between their organizations and across industries to essentially decide what is reasonable when it comes to security and compliance considerations."
Dunlap said he's working with a variety of professional groups, including the Information Systems Audit and Control Association (ISACA) and the Center for Internet Security (CIS) to garner support for the project before formally launching it. Participants will be able to provide control data anonymously, if they prefer.
J.J. Thompson, president of the Information Systems Security Association (ISSA) Silicon Valley chapter, said ISSA members were "excited and intrigued" when Dunlap told them about the project at a meeting last month. Thompson, a partner at Rook Consulting, a San Jose-based IT risk management advisory services firm, was invited by Dunlap to help with the project.
"The lack of a mechanism for benchmarking controls with peers has led to the empowerment of auditors to drive the decision for what is 'reasonable.' Now the tables will be turned and industry will be able to support their own assessment of reasonability and the auditors will have to agree," Thompson said.
The project "will completely change the way we manage and audit compliance within the next two years," he added.
Thompson said the current state of the economy will mean IT executives will be pushed more than ever to reduce operating costs. Focusing on compliance inefficiencies is one way to reduce costs and Consensus Controls will enable organizations to "right-size" their control environment, he said.
Brightfly is providing the initial funding and stewardship for the project but the hope is that it will become self-sustaining with broad community involvement, Dunlap said.