Information Security Compliance Frameworks

Companies in highly-regulated industries can adopt a security framework like PCI or COBIT to manage compliance initiatives.

For IT Agility, Avoid "Rolling Your Own" Compliance Frameworks

When it comes to the privacy of your employees' and customers' data, IT professionals understand that security is paramount. But HOW secure is secure? What guidelines are out there for developing a secure data transfer strategy?

These days there are competing frameworks that drive compliance across all industries worldwide. Most cover the same ground using very different structures and terminologies. These comprehensive IT security frameworks underlie many of the modern compliance standards such as Sarbanes-Oxley, the Basel initiatives and HIPAA.

According to cybersecurity expert David Lacey: "You have to avoid creating your own standards or frameworks as the maintenance overhead is simply too big. Existing standards are automatically updated with emerging compliance requirements. So all that work is taken away from you if you adopt one of the existing standards."

Depending on your location and industry it is likely that one of the frameworks below will drive your approach to IT security and compliance:

PCI DSS

Organizations in the financial services or retail sectors have long had to comply with the tough PCI standard (Payment Card Industry Data Security Standard).

COBIT

Control Objectives for Information and Related Technology (COBIT) is a perhaps too complex set of best practice controls, designed by auditors who tend to operate at a high level of detail. A useful reference standard. In the US, public companies commonly turn to COBIT with Sarbanes-Oxley.

ISO/IEC 27001 and 27002

The oldest of the IT security standards is one of the few written by security managers for security managers. It's a code of practice, not a specification, which allows IT professionals to interpret it in a flexible way that makes sense for their business size and industry. It has about half the number of controls as PCI/DSS. ISO 27001 is a guide to establishing a security management system and ISO 27002 has lots of detail about what each control really means. Good choice for a global enterprises.

NIST Information Security Handbook

The US National Institute of Standards and Technology offers their set of standards in its Information Security Handbook. For US companies, and in particular US Government agencies, the NIST Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.

ITIL

The ITIL (IT Infrastructure Library) standard covers a lot more than security. Really it's a blueprint for aligning Information Technology services with business. ITIL offers specific recommendations on the functions that IT teams should cover, including Security Management. ITIL is more about the services that an IT team engages in to ensure data security than the actual security provisions themselves.

Once you've chosen a security framework, building out your IT infrastructure and choosing the tools to manage and move data is simple. Find tools that support the latest iteration of the standard and that are constantly updated to counter emerging risks. Here are some more best practices to take the risk and pain out of your next security & compliance audit.