SlideShare a Scribd company logo

How to integrate risk into your compliance-only approach

A
Abhishek Sood

The document discusses the challenges faced by Chief Information Security Officers (CISOs) regarding the development and management of information security policies and standards, which often lead to confusion and increased organizational liability due to a compliance-only approach. It identifies four common symptoms of this approach: restating regulatory mandates without adaptation, using generic policies, employing ineffective risk registers, and having overlapping assurance programs. The document advocates for an integrated risk and compliance approach to enhance policy effectiveness and reduce risk, facilitating faster deployment and easier maintenance of security frameworks.

Data & Analytics
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
WHITE PAPER INTEGRATED RISK MANAGEMENT End the Struggle with InfoSec Policies and Standards through Risk & Compliance Integration
Information Security Policies and Standards are a Chief Information Security Officer’s primary tool for communicating security expectations throughout the organization. However, for many organizations, they are more a source of confusion, and worse, they can increase the organization’s liability. Employees are forced to sift through bloated, complex, and frequently contradictory documents and then deduce what requirements apply to them in their particular role and circumstance. Neither security managers nor internal auditors can confidently attest they meet minimum regulatory compliance and risk management practices. This is usually a result of a CISO taking a compliance- only approach meant to satisfy an auditor. The hallmark of such an approach is simply restating regulatory mandates into policies and standards or using generic “out-of-the-box” policies. Other symptoms of this mindset include the use of a generic risk register and overlapping assurance programs. Why CISOs Struggle with Information Security Policies and Standards
In this situation, policy and standards compliance processes are disconnected from other risk and compliance processes creating confusion for the organization. As regulations evolve, this burden only increases. This is an ineffective approach. Eventually a complete rewrite becomes an easier task than attempting to review and update the current set of documents. When this point is reached, we advocate CISOs take the time to correct the root cause of the problem as we see it: failure to build Policies and Standards with an integrated risk and compliance approach. In this book, we will cover the 4 symptoms of a compliance-only approach and the benefits of a risk-integrated approach.
4 3 2 1 The four symptoms The Symptoms of A Compliance-Only Approach 1 2 3 4 Simply re-stating regulatory mandates into policies and standards without first interpreting and right-sizing for the unique risk posture of the organization. Use of “out-of-the-box” policies obtained through tools or websites that do not meet applicable federal, state, industry and internal mandates. Use of a generic risk-register that doesn’t include internal policies and standards. Overlapping assurance programs, typically aligned against each regulatory mandate, which burden staff and complicate reporting requirements. Although the results of a compliance-only information security mindset show up at various levels throughout the organization, we’ve identified four common symptoms of this problem.
1 Simply Re-Stating Regulatory Mandates The aim of a narrow, compliance-only approach is to survive an audit review of policy documents without any findings. Thus, the tendency is to add any and all mandates to governance documents to minimize chances of a gap. The problem with this approach is it can actually increase an organization’s risk level. Simply restating regulatory mandates into policies and standards can unnecessarily restrict an organization’s compliance options. Whereas before it had the flexibility to identify alternate means to mitigate risk, it has now mandated itself to follow a prescribed approach. Further, many regulatory mandates are more appropriately enforced at the process or procedure level. Take for example, the practice of testing in production. Although broadly recognized as non-ideal, for some environments and situations, it is simply unavoidable. Do your policies generically state this common mandate, or is it tailored to your unique risk? Do they identify alternative controls that equivalently mitigate risk? If an organization fails to make this distinction, it increases exposure to any regulator, auditor, or insurance company that may evaluate the organization’s policy compliance.
Excessive focus on a single regulatory source (e.g., HIPAA, PCI, or FFIEC only) and not sufficiently customized to other applicable federal, state and industry-specific sources. Not written for the organization’s current InfoSec maturity and culture. Inclusion of controls the organization cannot meet due to technical or operational infeasibility. Exclusion of or insufficient consideration for internally derived mandates applicable to the organization. A CISO may be attracted to this approach if they are trying to “check the box” on policy compliance. Many GRC tools and websites are populated with generic content for organizations to use. However, we find that such generic content generally has the following shortcomings: The typical result is an organization that is over-controlled in some areas and under- controlled in others – exposing it to unnecessary costs and audit findings. Where should a CISO start? After all, where does one begin organizing the mass of various topics and overlapping requirements? In our experience, CISOs are better off focusing their time on building a strong organization-specific risk register and using it as the spine for developing InfoSec Policies and Standards. This leads directly to the next common symptom. 2 Use of “Out-of- the-box” Policies
What are the controls I must address to be compliant? How important are these controls to my organization (what is the inherent risk?) How effective are these controls in my organization (what is the residual risk?) What are the mandates driving the need for those controls? The key to simplifying the risk and compliance challenge is a well-defined, organization-specific risk register. Such a tool clarifies: However, such a tool has historically proven to be a barrier to entry. After all, it takes considerable effort to identify all regulatory sources, map them to a harmonized control library, and allocate associated risk ratings. For this reason, many CISOs will either adopt a generic risk register from a GRC tool or website. Or fail to build a risk register at all–instead adopting a compliance-only approach. We strongly caution CISOs against adoption of a generic risk register as they are typically impractical from an assurance perspective and can significantly drive up testing costs. Instead, we advocate a middle ground where organizations adopt a managed content library that can be rapidly customized to include incorporation of its own policies and standards as sources themselves. Such an approach lowers the barrier to entry, while keeping a practical implementation. 3 Use of a Generic Risk-Register
A compliance-only approach will wastefully organize testing around individual regulatory sources. The burden for such an approach is acutely felt by IT staff. For example, a system owner must respond to a SOX compliance test. And then a PCI compliance test. And then, a round of tests for internal policy compliance. This all adds up to high compliance costs and may overwhelm staff. A better approach is to integrate all controls into a single framework, allowing a single assessment for control definition, and a single testing pass that measures compliance against all regulatory and internal mandates. This approach treats Policies and Standards like just another regulatory mandate and positions the governance documents as the communication tools they’re intended to be rather than a tool to placate auditors. 4 Overlapping Assurance Programs
The root cause of the policy and standards stuggle is a failure to build them through an integrated risk and compliance approach. We advocate an approach that tightly integrates policies and standards with a risk register linked to mandates; which is subsequently used to drive control planning and testing. This approach effectively integrates risk and compliance processes and avoids the common symptoms mentioned while allowing a CISO to overhaul their policies and standards in just 2–3 months. Tackle the Problem with An Integrated Risk & Compliance Approach Risk Register An Integrated Risk and Compliance Approach... ...Answers Key CISO Questions Policies & Standards Control Testing Control Planning Do my Policies & Standards meet the latest regulatory minimums? Have I committed to a regulatory mandate we cannot meet? Where do my Policies & Standards under-control or over-control? Can I measure my Policy Standards compliance?
Leveraging our iGRC Content Library as an accelerator, Edgile can help you rapidly deploy a full refresh of InfoSec policies and standards. At the same time, we establish a GRC foundation that ensures you can: Accelerate your journey Operationalize the controls in your environment Assess Once, Test Once and Satisfy both internal policy and standard compliance and external compliance (e.g. laws and regulations) Easily maintain the documents as regulations evolve Sustain a Risk Register with verbatim linkage to laws and regulations Benefits of a Risk-Integrated Approach This methodology has demonstrated its value with consistent success across numerous clients. Rather than being a one-off task for auditors, authoring governance documents becomes a central aspect of the risk and compliance management program, driving security controls throughout the organization. The top four benefits we’ve seen from this approach are: Reduced Risk Reduced Deployment Time Rapid Operationalization Easy Maintenance 1 2 3 4
The risk register becomes the CISO’s “single source of truth” regarding compliance and risk mandates. When policies and standards are mapped to a risk register, an organization can confidently “right-size” the control environment in a manner commensurate with its actual and desired risk. The result is the CISO now has both the insight and the ability to address areas where the organization is under- controlled or over-controlled. 1Reduced Risk
2 Reduced Deployment Time Historically, the barrier to entry for this approach is untenable: identifying all regulatory sources, mapping them to a harmonized control library, and building a risk register. However, when using our iGRC Content Managed Service, the hard part is already done. Now, one can simply translate and apply the identified requirements into policy/standard language appropriate for the organization’s desired risk posture. In general, we’ve been able to deploy a risk register and a draft full-spectrum set of information security policies and standards in as little as 2-3 months.
Our methodology integrates policy and standards compliance with other risk and assurance processes. An optimized framework means simplified deployment and faster adoption. This ensures every asset owner clearly knows what controls they must adhere to. Further, you can assess once, test once and report on compliance against multiple mandates using a common process that can be scaled up or down considering the organization’s assurance requirements. 3 Rapid Operationalization
4 Easy Maintenance Keeping track of new regulatory rules and guidance from state, federal, and industry-specific authorities is an intensive effort requiring legal expertise. For most organizations, this requires expensive, highly skilled dedicated resources. Our content managed service provide access to the dedicated Edgile team of attorneys, risk and compliance, and InfoSec experts. Now you can have your mandates monitored and harmonized with quarterly updates with a consistent, high-quality Risk Register delivered at a lower cost to the organization.
1 2 3 4 Review CISOs struggle with Information Security Policies and Standards because over time, these Polices and Standards become complex, bloated and frequently contradictory. Neither security managers nor internal auditors can confidently attest they meet minimum regulatory compliance and risk management practices. The root cause of these problems: Failure to build Policies and Standards with an Integrated Risk and Compliance Approach. Simply re-stating regulatory mandates Use of “out-of-the-box” policies Overlapping assurance programs Use of a generic risk- register Instead, policies and standards are too often authored with a compliance-only mindset. There are four common symptoms of this problem: Edgile’s Integrated Risk and Compliance Approach leverages our iGRC Content Library to accelerate your deployment. The benefits of our approach include: Reduced Risk Reduced Deployment Time Rapid Operationalization Easy Maintenance 1 2 3 4
Edgile is the trusted cyber risk and compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content. Our strategy-first model optimizes IAM, GRC, and cybersecurity both on-premises and in the cloud. By transforming risk into opportunity, we secure the modern enterprise through solutions that increase business agility and create a competitive advantage for our clients. For more information about Edgile, visit www.edgile.com. About Edgile

More Related Content

PDF
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
DVV Solutions Third Party Risk Management
 
PDF
Forrester Infographic
Thang Cao (He/Him)
 
PPTX
it grc
9535814851
 
PDF
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
PDF
Compliance Risk Assessment
Compliance Consultant
 
PPTX
Presentation_IA Focus
saurav Chandgothia
 
PPTX
Fix nix, inc
FixNix Inc.,
 
PDF
How to measure your cybersecurity performance
Abhishek Sood
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
DVV Solutions Third Party Risk Management
 
Forrester Infographic
Thang Cao (He/Him)
 
it grc
9535814851
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
Compliance Risk Assessment
Compliance Consultant
 
Presentation_IA Focus
saurav Chandgothia
 
Fix nix, inc
FixNix Inc.,
 
How to measure your cybersecurity performance
Abhishek Sood
 

What's hot (15)

PDF
Compliance Programs Critical Safeguard
McKesson Practice Consulting
 
PDF
Seven Elements Of Effective Compliance Programs
Maria Macri
 
PPTX
Healthcare It Security Risk 0310
John Reno
 
PDF
Hernan Huwyler Corporate Risk Assesstment Compliance Risks
Hernan Huwyler, MBA CPA
 
PPTX
Managing Organizational Risk: The Mighty Triad of Compliance, Internal Audit,...
PYA, P.C.
 
PDF
5 steps for better risk assessment
DrMohammedFarid
 
PDF
Standards in Third Party Risk - DVV Solutions ISACA North May 19
DVV Solutions Third Party Risk Management
 
PPTX
What is GRC – Governance, Risk and Compliance
BOC Group
 
PPT
E Discovery V2.Pdf
Fred Travis
 
PDF
Compliance Management | Compliance Solutions
Corporater
 
PDF
White Paper: A summary of the FSA thematic review
LexisNexis Benelux
 
PDF
Reciprocity_Consolidated Objectives eBook v2
justinklooster
 
PPTX
Social media risks guide
AstalapulosListestos
 
PDF
Third-party Governance and Risk Management - 2018
Deloitte UK
 
PDF
Compliance framework
Manoj Agarwal
 
Compliance Programs Critical Safeguard
McKesson Practice Consulting
 
Seven Elements Of Effective Compliance Programs
Maria Macri
 
Healthcare It Security Risk 0310
John Reno
 
Hernan Huwyler Corporate Risk Assesstment Compliance Risks
Hernan Huwyler, MBA CPA
 
Managing Organizational Risk: The Mighty Triad of Compliance, Internal Audit,...
PYA, P.C.
 
5 steps for better risk assessment
DrMohammedFarid
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
DVV Solutions Third Party Risk Management
 
What is GRC – Governance, Risk and Compliance
BOC Group
 
E Discovery V2.Pdf
Fred Travis
 
Compliance Management | Compliance Solutions
Corporater
 
White Paper: A summary of the FSA thematic review
LexisNexis Benelux
 
Reciprocity_Consolidated Objectives eBook v2
justinklooster
 
Social media risks guide
AstalapulosListestos
 
Third-party Governance and Risk Management - 2018
Deloitte UK
 
Compliance framework
Manoj Agarwal
 
Ad

Similar to How to integrate risk into your compliance-only approach (20)

PDF
Introduction to IT compliance program and Discuss the challenges IT .pdf
SALES97
 
PDF
Tips For Being Compliance Ready
Peak 10
 
PDF
Dimension data pursuing compliance in public cloud white paper
Jason Cumberland
 
PDF
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Third Party Risk Management
 
PPTX
How an Organization Can Elevate Compliance Standards
360factors
 
PDF
Security Governance by Risknavigator 2010
Lennart Bredberg
 
PPTX
Common Governance, Risk, and Compliance Challenges and How to Tackle Them.pptx
bidhanbarman2508
 
PPTX
Emerging Trends in Compliance and Risk Management for 2025 and Beyond.pptx
bidhanbarman2508
 
PDF
2015 Tackling This Year's Audit Hot Spots
Ron Steinkamp
 
DOCX
CHAPTER 3 Security Policies and Regulations In this chap
EstelaJeffery653
 
PPTX
Stages of Compliance and Risk Management_ A Strategic Roadmap for Modern Ente...
bidhanbarman2508
 
PDF
Is your company risking Non-Compliance
Siddharth Joshi
 
DOCX
Understanding the Roles and Responsibilities of ISMS Auditor.docx
INTERCERT
 
DOCX
CHAPTER 5 Security Policies, Standards, Procedures, a
MaximaSheffield592
 
PDF
Compliance risk management planning 2017-02-mattoon
Cris Mattoon, J.D., CCEP, MCM
 
PPTX
_Building a Culture of Compliance_ How a Compliance Management System Helps O...
bidhanbarman2508
 
DOCX
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
Haresh Lalwani
 
PPTX
Spire Brief - Risk Consulting
Prashant Jain
 
PDF
Ey segregation of_duties
Indrani Bhattacharya
 
PPTX
Common governance, risk, and compliance Challenges and How to Overcome Them.pptx
bidhanbarman2508
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
SALES97
 
Tips For Being Compliance Ready
Peak 10
 
Dimension data pursuing compliance in public cloud white paper
Jason Cumberland
 
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Third Party Risk Management
 
How an Organization Can Elevate Compliance Standards
360factors
 
Security Governance by Risknavigator 2010
Lennart Bredberg
 
Common Governance, Risk, and Compliance Challenges and How to Tackle Them.pptx
bidhanbarman2508
 
Emerging Trends in Compliance and Risk Management for 2025 and Beyond.pptx
bidhanbarman2508
 
2015 Tackling This Year's Audit Hot Spots
Ron Steinkamp
 
CHAPTER 3 Security Policies and Regulations In this chap
EstelaJeffery653
 
Stages of Compliance and Risk Management_ A Strategic Roadmap for Modern Ente...
bidhanbarman2508
 
Is your company risking Non-Compliance
Siddharth Joshi
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
INTERCERT
 
CHAPTER 5 Security Policies, Standards, Procedures, a
MaximaSheffield592
 
Compliance risk management planning 2017-02-mattoon
Cris Mattoon, J.D., CCEP, MCM
 
_Building a Culture of Compliance_ How a Compliance Management System Helps O...
bidhanbarman2508
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
Haresh Lalwani
 
Spire Brief - Risk Consulting
Prashant Jain
 
Ey segregation of_duties
Indrani Bhattacharya
 
Common governance, risk, and compliance Challenges and How to Overcome Them.pptx
bidhanbarman2508
 
Ad

More from Abhishek Sood (20)

PDF
The future of enterprise management
Abhishek Sood
 
PDF
Gain new visibility in your DevOps team
Abhishek Sood
 
PDF
Cybersecurity the new metrics
Abhishek Sood
 
PDF
Azure IaaS: Cost savings, new revenue opportunities, and business benefits
Abhishek Sood
 
PDF
3-part approach to turning IoT data into business power
Abhishek Sood
 
PDF
How a bad HR dept. can lose $9M
Abhishek Sood
 
PDF
Big news coming for DevOps: What you need to know
Abhishek Sood
 
PDF
Microservices best practices: Integration platforms, APIs, and more
Abhishek Sood
 
PDF
Why adopt more than one cloud service?
Abhishek Sood
 
PDF
Cloud Application Security --Symantec
Abhishek Sood
 
PDF
DLP 101: Help identify and plug information leaks
Abhishek Sood
 
PDF
IoT: 3 keys to handling the oncoming barrage of use cases
Abhishek Sood
 
PDF
How 3 trends are shaping analytics and data management
Abhishek Sood
 
PDF
API-led connectivity: How to leverage reusable microservices
Abhishek Sood
 
PDF
How to create a secure high performance storage and compute infrastructure
Abhishek Sood
 
PDF
Enterprise software usability and digital transformation
Abhishek Sood
 
PDF
Transforming for digital customers across 6 key industries
Abhishek Sood
 
PDF
Authentication best practices: Experts weigh in
Abhishek Sood
 
PDF
Tips --Break Down the Barriers to Better Data Analytics
Abhishek Sood
 
PDF
Attivio discovery insight innovation --Whitepaper
Abhishek Sood
 
The future of enterprise management
Abhishek Sood
 
Gain new visibility in your DevOps team
Abhishek Sood
 
Cybersecurity the new metrics
Abhishek Sood
 
Azure IaaS: Cost savings, new revenue opportunities, and business benefits
Abhishek Sood
 
3-part approach to turning IoT data into business power
Abhishek Sood
 
How a bad HR dept. can lose $9M
Abhishek Sood
 
Big news coming for DevOps: What you need to know
Abhishek Sood
 
Microservices best practices: Integration platforms, APIs, and more
Abhishek Sood
 
Why adopt more than one cloud service?
Abhishek Sood
 
Cloud Application Security --Symantec
Abhishek Sood
 
DLP 101: Help identify and plug information leaks
Abhishek Sood
 
IoT: 3 keys to handling the oncoming barrage of use cases
Abhishek Sood
 
How 3 trends are shaping analytics and data management
Abhishek Sood
 
API-led connectivity: How to leverage reusable microservices
Abhishek Sood
 
How to create a secure high performance storage and compute infrastructure
Abhishek Sood
 
Enterprise software usability and digital transformation
Abhishek Sood
 
Transforming for digital customers across 6 key industries
Abhishek Sood
 
Authentication best practices: Experts weigh in
Abhishek Sood
 
Tips --Break Down the Barriers to Better Data Analytics
Abhishek Sood
 
Attivio discovery insight innovation --Whitepaper
Abhishek Sood
 

Recently uploaded (20)

PPTX
Business Acumen Training GuidePresentation.pptx
stephvshelton19
 
PPTX
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
PPTX
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
PPTX
Business Ppt On Nestle.pptx huunnnhhgfvu
ashaurya327
 
PPTX
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
PDF
Mega Projects Data Mega Projects Data
saidsalah8181
 
PPT
Chapter 2 METAL FORMINGhhhhhhhjjjjmmmmmmmmm
JanakiRaman206018
 
PDF
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
PPTX
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
 
PPTX
Moving the Public Sector (Government) to a Digital Adoption
PaulYoung221210
 
PDF
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
PPTX
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
 
PDF
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
PPTX
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
PPTX
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
PPTX
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
 
PPT
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
PPTX
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 
PPTX
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
PPTX
Introduction to Firewall Analytics - Interfirewall and Transfirewall.pptx
kuthubussaman1
 
Business Acumen Training GuidePresentation.pptx
stephvshelton19
 
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
Business Ppt On Nestle.pptx huunnnhhgfvu
ashaurya327
 
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
Mega Projects Data Mega Projects Data
saidsalah8181
 
Chapter 2 METAL FORMINGhhhhhhhjjjjmmmmmmmmm
JanakiRaman206018
 
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
 
Moving the Public Sector (Government) to a Digital Adoption
PaulYoung221210
 
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
 
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
 
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
Introduction to Firewall Analytics - Interfirewall and Transfirewall.pptx
kuthubussaman1
 

How to integrate risk into your compliance-only approach

  • 1. WHITE PAPER INTEGRATED RISK MANAGEMENT End the Struggle with InfoSec Policies and Standards through Risk & Compliance Integration
  • 2. Information Security Policies and Standards are a Chief Information Security Officer’s primary tool for communicating security expectations throughout the organization. However, for many organizations, they are more a source of confusion, and worse, they can increase the organization’s liability. Employees are forced to sift through bloated, complex, and frequently contradictory documents and then deduce what requirements apply to them in their particular role and circumstance. Neither security managers nor internal auditors can confidently attest they meet minimum regulatory compliance and risk management practices. This is usually a result of a CISO taking a compliance- only approach meant to satisfy an auditor. The hallmark of such an approach is simply restating regulatory mandates into policies and standards or using generic “out-of-the-box” policies. Other symptoms of this mindset include the use of a generic risk register and overlapping assurance programs. Why CISOs Struggle with Information Security Policies and Standards
  • 3. In this situation, policy and standards compliance processes are disconnected from other risk and compliance processes creating confusion for the organization. As regulations evolve, this burden only increases. This is an ineffective approach. Eventually a complete rewrite becomes an easier task than attempting to review and update the current set of documents. When this point is reached, we advocate CISOs take the time to correct the root cause of the problem as we see it: failure to build Policies and Standards with an integrated risk and compliance approach. In this book, we will cover the 4 symptoms of a compliance-only approach and the benefits of a risk-integrated approach.
  • 4. 4 3 2 1 The four symptoms The Symptoms of A Compliance-Only Approach 1 2 3 4 Simply re-stating regulatory mandates into policies and standards without first interpreting and right-sizing for the unique risk posture of the organization. Use of “out-of-the-box” policies obtained through tools or websites that do not meet applicable federal, state, industry and internal mandates. Use of a generic risk-register that doesn’t include internal policies and standards. Overlapping assurance programs, typically aligned against each regulatory mandate, which burden staff and complicate reporting requirements. Although the results of a compliance-only information security mindset show up at various levels throughout the organization, we’ve identified four common symptoms of this problem.
  • 5. 1 Simply Re-Stating Regulatory Mandates The aim of a narrow, compliance-only approach is to survive an audit review of policy documents without any findings. Thus, the tendency is to add any and all mandates to governance documents to minimize chances of a gap. The problem with this approach is it can actually increase an organization’s risk level. Simply restating regulatory mandates into policies and standards can unnecessarily restrict an organization’s compliance options. Whereas before it had the flexibility to identify alternate means to mitigate risk, it has now mandated itself to follow a prescribed approach. Further, many regulatory mandates are more appropriately enforced at the process or procedure level. Take for example, the practice of testing in production. Although broadly recognized as non-ideal, for some environments and situations, it is simply unavoidable. Do your policies generically state this common mandate, or is it tailored to your unique risk? Do they identify alternative controls that equivalently mitigate risk? If an organization fails to make this distinction, it increases exposure to any regulator, auditor, or insurance company that may evaluate the organization’s policy compliance.
  • 6. Excessive focus on a single regulatory source (e.g., HIPAA, PCI, or FFIEC only) and not sufficiently customized to other applicable federal, state and industry-specific sources. Not written for the organization’s current InfoSec maturity and culture. Inclusion of controls the organization cannot meet due to technical or operational infeasibility. Exclusion of or insufficient consideration for internally derived mandates applicable to the organization. A CISO may be attracted to this approach if they are trying to “check the box” on policy compliance. Many GRC tools and websites are populated with generic content for organizations to use. However, we find that such generic content generally has the following shortcomings: The typical result is an organization that is over-controlled in some areas and under- controlled in others – exposing it to unnecessary costs and audit findings. Where should a CISO start? After all, where does one begin organizing the mass of various topics and overlapping requirements? In our experience, CISOs are better off focusing their time on building a strong organization-specific risk register and using it as the spine for developing InfoSec Policies and Standards. This leads directly to the next common symptom. 2 Use of “Out-of- the-box” Policies
  • 7. What are the controls I must address to be compliant? How important are these controls to my organization (what is the inherent risk?) How effective are these controls in my organization (what is the residual risk?) What are the mandates driving the need for those controls? The key to simplifying the risk and compliance challenge is a well-defined, organization-specific risk register. Such a tool clarifies: However, such a tool has historically proven to be a barrier to entry. After all, it takes considerable effort to identify all regulatory sources, map them to a harmonized control library, and allocate associated risk ratings. For this reason, many CISOs will either adopt a generic risk register from a GRC tool or website. Or fail to build a risk register at all–instead adopting a compliance-only approach. We strongly caution CISOs against adoption of a generic risk register as they are typically impractical from an assurance perspective and can significantly drive up testing costs. Instead, we advocate a middle ground where organizations adopt a managed content library that can be rapidly customized to include incorporation of its own policies and standards as sources themselves. Such an approach lowers the barrier to entry, while keeping a practical implementation. 3 Use of a Generic Risk-Register
  • 8. A compliance-only approach will wastefully organize testing around individual regulatory sources. The burden for such an approach is acutely felt by IT staff. For example, a system owner must respond to a SOX compliance test. And then a PCI compliance test. And then, a round of tests for internal policy compliance. This all adds up to high compliance costs and may overwhelm staff. A better approach is to integrate all controls into a single framework, allowing a single assessment for control definition, and a single testing pass that measures compliance against all regulatory and internal mandates. This approach treats Policies and Standards like just another regulatory mandate and positions the governance documents as the communication tools they’re intended to be rather than a tool to placate auditors. 4 Overlapping Assurance Programs
  • 9. The root cause of the policy and standards stuggle is a failure to build them through an integrated risk and compliance approach. We advocate an approach that tightly integrates policies and standards with a risk register linked to mandates; which is subsequently used to drive control planning and testing. This approach effectively integrates risk and compliance processes and avoids the common symptoms mentioned while allowing a CISO to overhaul their policies and standards in just 2–3 months. Tackle the Problem with An Integrated Risk & Compliance Approach Risk Register An Integrated Risk and Compliance Approach... ...Answers Key CISO Questions Policies & Standards Control Testing Control Planning Do my Policies & Standards meet the latest regulatory minimums? Have I committed to a regulatory mandate we cannot meet? Where do my Policies & Standards under-control or over-control? Can I measure my Policy Standards compliance?
  • 10. Leveraging our iGRC Content Library as an accelerator, Edgile can help you rapidly deploy a full refresh of InfoSec policies and standards. At the same time, we establish a GRC foundation that ensures you can: Accelerate your journey Operationalize the controls in your environment Assess Once, Test Once and Satisfy both internal policy and standard compliance and external compliance (e.g. laws and regulations) Easily maintain the documents as regulations evolve Sustain a Risk Register with verbatim linkage to laws and regulations Benefits of a Risk-Integrated Approach This methodology has demonstrated its value with consistent success across numerous clients. Rather than being a one-off task for auditors, authoring governance documents becomes a central aspect of the risk and compliance management program, driving security controls throughout the organization. The top four benefits we’ve seen from this approach are: Reduced Risk Reduced Deployment Time Rapid Operationalization Easy Maintenance 1 2 3 4
  • 11. The risk register becomes the CISO’s “single source of truth” regarding compliance and risk mandates. When policies and standards are mapped to a risk register, an organization can confidently “right-size” the control environment in a manner commensurate with its actual and desired risk. The result is the CISO now has both the insight and the ability to address areas where the organization is under- controlled or over-controlled. 1Reduced Risk
  • 12. 2 Reduced Deployment Time Historically, the barrier to entry for this approach is untenable: identifying all regulatory sources, mapping them to a harmonized control library, and building a risk register. However, when using our iGRC Content Managed Service, the hard part is already done. Now, one can simply translate and apply the identified requirements into policy/standard language appropriate for the organization’s desired risk posture. In general, we’ve been able to deploy a risk register and a draft full-spectrum set of information security policies and standards in as little as 2-3 months.
  • 13. Our methodology integrates policy and standards compliance with other risk and assurance processes. An optimized framework means simplified deployment and faster adoption. This ensures every asset owner clearly knows what controls they must adhere to. Further, you can assess once, test once and report on compliance against multiple mandates using a common process that can be scaled up or down considering the organization’s assurance requirements. 3 Rapid Operationalization
  • 14. 4 Easy Maintenance Keeping track of new regulatory rules and guidance from state, federal, and industry-specific authorities is an intensive effort requiring legal expertise. For most organizations, this requires expensive, highly skilled dedicated resources. Our content managed service provide access to the dedicated Edgile team of attorneys, risk and compliance, and InfoSec experts. Now you can have your mandates monitored and harmonized with quarterly updates with a consistent, high-quality Risk Register delivered at a lower cost to the organization.
  • 15. 1 2 3 4 Review CISOs struggle with Information Security Policies and Standards because over time, these Polices and Standards become complex, bloated and frequently contradictory. Neither security managers nor internal auditors can confidently attest they meet minimum regulatory compliance and risk management practices. The root cause of these problems: Failure to build Policies and Standards with an Integrated Risk and Compliance Approach. Simply re-stating regulatory mandates Use of “out-of-the-box” policies Overlapping assurance programs Use of a generic risk- register Instead, policies and standards are too often authored with a compliance-only mindset. There are four common symptoms of this problem: Edgile’s Integrated Risk and Compliance Approach leverages our iGRC Content Library to accelerate your deployment. The benefits of our approach include: Reduced Risk Reduced Deployment Time Rapid Operationalization Easy Maintenance 1 2 3 4
  • 16. Edgile is the trusted cyber risk and compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content. Our strategy-first model optimizes IAM, GRC, and cybersecurity both on-premises and in the cloud. By transforming risk into opportunity, we secure the modern enterprise through solutions that increase business agility and create a competitive advantage for our clients. For more information about Edgile, visit www.edgile.com. About Edgile