Where Governance and Compliance Intersect
Over the past few years there's been a trend in the security industry that has actually redefined our notion of compliance and what it means to be 'compliant'. Whenever I here someone talking about compliance issues, it's almost always in terms of PCI, or HIPAA, or some other external third party requirement. This tendency to look at compliance as an externally driven business imperative represents a serious flaw in our thinking today.
Years ago when we talked about compliance, it was in terms of compliance with one's own internal policies, processes, and practices. Yes, there were external influences at play, but not to the degree that we have today. Instead, we took those external factors and wove them into the core fabric of our security programs and projects. It appears that somewhere along the line this changed.
My argument is that compliance should have nothing to do with terms like PCI, or any other external third party requirement. Sure, at some point you should be able to tell folks that yes, you are compliant with those standards, but what you shouldn't be doing is building a 'compliance' program around them. There's an alternative method that actually places external third party requirements right where they should be.
PCI, HIPAA, FISMA, and whatever else you want to add to the list, are all GOVERNANCE issues... Not compliance ones. When you sit down to determine how your organization is going to meet those requirements, you need to be able to look across the board and make sure that ALL of your bases are covered. The right way to do this is by folding those external third party requirements into your governance framework instead, and deciding what you really need in order to properly protect your organizing from harm.
Now to some people it may sound like I'm splitting hairs. After all we generally tend to lump governance, risk management, and compliance together under a single umbrella anyway. There's a good reason for my position though... Your compliance program should actually be about managing compliance with YOUR security requirements, not someone else's.
If you take all of those external third party requirements and embed them in your governance framework, then the policies, processes, and practices that you build into your security program will be representative of everything your organization needs to accomplish from a security perspective. Then, when you start talking about compliance, it's in the context of making sure that everyone is paying attention to YOUR requirements, and not just the 'lowest common denominator'. This is actually a pretty important distinction.
So the next time you start talking to folks about compliance requirements, try ratcheting the conversation up a level. Bring things into the realm of governance instead. You may just find that it sparks a conversation around a little understood topic... one that often takes a back seat to conversations about 'compliance' with those third party mandates we're always hearing about. Governance issues need a lot more attention than we generally tend to give them today. Maybe this is a way to change the conversation a bit, and bring governance back into the picture as a key component of any sound information security program.
Just a thought anyway...
'till next time
