Struggling with regulatory compliance? You've got company; these days, many CSOs list compliance as headache number one. Accordingly, there’s no shortage of compliance tools swimming around in the security marketplace. BindView, Citicus, Consul, Intellitactics and Preventsys—software vendors that describe their products in broad variety of categories (risk man-agement, threat analysis, policy tools, security information management and many more)&mdas;all feature compliance heavily in their marketing materials. There are also vendors focused directly on regulatory issues. Logical Apps makes a product called Compliance for Oracle that enforces controls such as segregation of duties within financial applications so that, for example, the same user cannot access both accounts receivable and accounts payable. Virsa Systems offers a suite called Confident Compliance with a similar module for SAP systems. Even biometrics and identity management vendors are pitching their wares as compliance-focused.Updates on compliance toolsThe ERP security challengeFirewall audit toolsDigital forensics toolsDirectory of security laws, regs and guidelinesMany users say these tools can help. Codan Forsikring, a Danish insurance company, uses Consul’s software to winnow actionable information about system events and user behavior out of lengthy event logs generated by the company’s systems. Lars Jorgenson, an information security consultant for Codan, says Consul (which offers multiple modules, each aimed at a particular regulation) also helps document his company’s information security controls, and good documentation is a critical part of regulatory compliance audits.The rub for CSOs lies in finding the right tools for their own particular business. Sharon O’Bryan, a former CISO and now president of O’Bryan Advisory Services, notes that software helpful for one company may be only marginally effective for another, even within the same industry. The fundamental key, O’Bryan says, is to look at the big picture. CSOs should consider information assets “on an end-to-end process” basis (from the time the data is captured, through transmission, processing and storage), then ensure that proper controls are in place to protect the data. Once the controls have been considered, O’Bryan suggests, software tools can be added where they add operational efficiencies, as in the Codan case. But to expect to buy compliance in a box without first examining existing controls is a fool’s errand. Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe