Friday 12 August 2011

Compliance v’s Assurance

Compliance is often the sole assurance activity undertaken. But is this really enough?


Introduction

Many companies take steps to ensure that they comply with industry standards and regulations, as well as requiring individual business areas to meet the organisation’s own internal policies and standards/procedures. Compliance activity is then undertaken to check that these policies and standards are met.


What Is Compliance?

Compliance activity is generally carried out to confirm that a defined baseline standard of security is reached across the broad scope of an organisation. These baseline standards though do not necessarily ensure that systems, networks and assets meet the level of security required by the organisation or the individual business area, or that the security risk sits within the organisation’s risk appetite. Compliance alone will therefore not provide assurance that the organisation is secure, but rather that the policies and standards have been met.

As such, compliance can become a ceiling rather than the baseline.


Why Do More?

In addition to compliance, assurance should also be sought. The information security threat space is a rapidly evolving environment and as such security controls need to be responsive to prevent or combat the threat. Standards can easily and quickly become out of date. Compliance alone is therefore not enough. Assurance activity will take into account the broader threat environment, and look at the risks to an asset within the context of the external environment and the criticality of the data or function that the asset represents.


What is required?

A blended approach that takes into account the need to be compliant with policy and the ability to gain assurance is required to adequately manage IT Security risk effectively. Assurance testing would look to test the control to confirm that the control is not only the right control but that it also provides the level of protection required. This therefore provides a true assessment of the security risks faced by that asset and would expose any false sense of security that misplaced trust in a control had provided.

This approach would enable organisations to satisfy themselves that they are within risk appetite by ensuring that systems and assets not only meet the standards laid out in a policy but that the level of security risk is fully understood.