Cyber Security Institute

Wednesday, September 06, 2006

Winning the Compliance Game

The Compliance Security Council, made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, has been tracking what’s working and what’s not, says James Hurley, executive director of research for the Security Compliance Council and a director of research at Symantec.  In the past year, about 85 percent of the organizations have been through one regulatory audit; 60 percent have been through two or more; and 80 percent, three or more.  Spending on IT security wasn’t drastically different between organizations with the best audit results and those with the worst.  The successful ones spent over 10 percent on security, and those with failures, six percent or less, Hurley says.

Auditing woes mostly stem from improperly securing user machines and servers, according to the council’s findings.  “The problems being flagged in audits are in user and access controls on PCs and laptops, audit reporting and problems in configuration change management,” Hurley says.

Those with poor audits are spending 43 percent of their IT budget on security equipment and software for IT compliance and those with successful audits, 52 percent.  “They are taking money out of labor and putting it into automating the processes” such as measurement and monitoring IT compliance across the board, Hurley says.

“The organizations [surveyed] doing continuous monitoring had the least number of audit deficiencies.”

Meanwhile, security firms that perform vulnerability assessments and penetration testing say regulatory compliance is driving much of their business today.  Steve Stasiukonis, vice president and founder of Secure Network Technologies, says regulatory compliance pressures from SOX and HIPAA, for instance, are one of the main reasons his clients hire him.

http://www.darkreading.com/document.asp?doc_id=103041&WT.svl=news2_5