13 essential steps to integrating control frameworks

How to merge multiple regulatory requirements under a rational, effective security and controls governance process

. What's this?

By Chris Gray, Accuvant

July 12, 2010CSO

In recent years, requirements for effective information technology governance programs have increased. Information security and risk management professionals face a continually growing collection of laws, regulations, and industry standards—PCI DSS, Sarbanes-Oxley, HIPAA and Red Flag Rules to mention just a few examples— each adding to a seemingly endless set of requirements. As organizations attempt to comply with these provisions, the various activities can become confusing, conflicting, and difficult to manage.

It is fairly obvious that each of these laws, regulations, and standards were created with a specific, laudable goal—to protect a specific type of data asset that, if compromised or corrupted, could result in damage to either the controlling organization or the originating entity. Undeniably, these data elements have value, and they deserve protection. The question that arises from this need, however, is how to address such protection in a method that is comprehensive and actionable.

Also see Jennifer Bayuk's "What to Expect From an Information Systems Audit"


In order to address individual or combined groups of requirements, organizations often adopt various security or risk management "frameworks". These programs apply a comprehensive list of controls, standards, or practices that, when implemented correctly, claim to provide an organization the ability to reduce the overall risk to critical data. The types of data, however, vary, and it seems that someone publishes a new "best practice" every day. With the different controls, breadth of coverage, and levels of rigor and detail, the one consistent quality of these frameworks is the lack of consistency.

Regardless, at the end of the day, each frameworks (or requirement sets that function as framework components) is simply an effort designed to address general information technology needs, government-specific requirements, and industry-driven standards. As a rule, they are high-level in their requirements, specifying "what must be done" rather than the "how it must be accomplished". In order to ensure that they remain effective against the continually changing information security threat landscape, these control sets require an ongoing process of implementation, review, and security program updates.

After considering these issues, attempting to adopt these control sets seems to be more trouble than benefit. The requirement to achieve compliance in our modern business environment is critical, however, and organizations find this need to be adequate reason to make the commitment. The price of non-compliance with required controls can be immediate and costly, both from direct fines and indirect costs such as loss of consumer confidence and market share. Organizations seeking to comply with the stated controls must approach this effort in a way that addresses not only immediate compliance but also ongoing adherence. This is where frameworks become essential.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER