Consensus Controls project aims to set benchmarks for compliance

By Marcia Savage, Features Editor, Information Security magazine 03 Oct 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A research firm is spearheading an effort to provide organizations with a way to see how the IT controls they implement for security and compliance compare with those of industry peers.

We're trying to provide a level of consensus building around what is appropriate based on your organization, your geography and risk exposures. Brandon Dunlap, managing director, Brightfly Inc.

The Consensus Controls project introduces the concept of peer review due care, said Brandon Dunlap, managing director of research at Houston-based Brightfly Inc. "The definition of due care is what a reasonable person in the same circumstances would do. A lot of people are introducing controls to achieve due care, but without context," he said.

It can be tricky for organizations to figure out appropriate controls to implement for complying with regulations such as HIPAA and SOX, he said. They often turn to frameworks like ISO 17799 or COBIT, but can wind up picking and choosing whatever controls "fit their risk appetite and they think can get them through an audit," Dunlap said. So finding the right balance can be a difficult and risky task.

"At the end of the day, organizations that spend more money on controls are way out there by themselves and taking money from shareholders because they're overdoing it," Dunlap said. "Conversely, if you're under doing it, you're probably going to get hit by a regulator or possibly a lawsuit."

The Consensus Controls project is designed to allow organizations to upload their spreadsheets of controls and compare them with their peers. For example, a health care company on the East Coast using a particular audit firm could compare its controls with other health care organizations in its area that use the same auditor. The information could arm a company with valuable data to work with auditors and executive boards, Dunlap said.

SearchSecurity radio:

"We're trying to provide a level of consensus building around what is appropriate based on your organization, your geography and risk exposures," he said. "We're trying to get people to tear down walls between their organizations and across industries to essentially decide what is reasonable when it comes to security and compliance considerations."

Dunlap said he's working with a variety of professional groups, including the Information Systems Audit and Control Association (ISACA) and the Center for Internet Security (CIS) to garner support for the project before formally launching it. Participants will be able to provide control data anonymously, if they prefer.

J.J. Thompson, president of the Information Systems Security Association (ISSA) Silicon Valley chapter, said ISSA members were "excited and intrigued" when Dunlap told them about the project at a meeting last month. Thompson, a partner at Rook Consulting, a San Jose-based IT risk management advisory services firm, was invited by Dunlap to help with the project.

"The lack of a mechanism for benchmarking controls with peers has led to the empowerment of auditors to drive the decision for what is 'reasonable.' Now the tables will be turned and industry will be able to support their own assessment of reasonability and the auditors will have to agree," Thompson said.

The project "will completely change the way we manage and audit compliance within the next two years," he added.

Thompson said the current state of the economy will mean IT executives will be pushed more than ever to reduce operating costs. Focusing on compliance inefficiencies is one way to reduce costs and Consensus Controls will enable organizations to "right-size" their control environment, he said.

Brightfly is providing the initial funding and stewardship for the project but the hope is that it will become self-sustaining with broad community involvement, Dunlap said.

Tags: HIPAA and other healthcare compliance requirements,  SOX and other public company compliance requirements,  Vulnerability assessment for compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice SOX and other public company compliance requirements Discovery process puts onus on electronic records management tools Electronic discovery critical to health of company, IT organization Business model risk is a key part of your risk management strategy Financial crimes resulting in increased compliance enforcement Ex-SEC chief Pitt decries state of Sarbanes-Oxley and risk management Chapter excerpt: The Three Core Disciplines of IT Risk Management Leveraging your business intelligence resources for compliance Kill-switch bill would add certification, licensing burdens Enforcement date for FACT's Red Flags Rule approaches Economic downturn won't kill regulatory compliance projects Vulnerability assessment for compliance New evaluation criteria for Web application security scanners GPS devices, geolocation data create privacy, security risks Security and compliance can go together, when done in the right order Steps toward making information security as important as data security Run encryption the right way to ensure wireless network security Security concerns may mean peer-to-peer file sharing days are over How CISOs can leverage the internal audit process How to build a mature information security program: A crisis helps A compliance officer, secure network aren't enough for real compliance How to mitigate operational, compliance risk of outsourcing services

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary