{"id":65,"date":"2004-10-08T00:00:00","date_gmt":"2004-10-08T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2004\/10\/08\/isd-conference-04-regulatory-compliance-in-the-real-world\/"},"modified":"2021-12-30T11:36:26","modified_gmt":"2021-12-30T11:36:26","slug":"isd-conference-04-regulatory-compliance-in-the-real-world","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2004\/10\/08\/isd-conference-04-regulatory-compliance-in-the-real-world\/","title":{"rendered":"ISD Conference ’04: Regulatory compliance in the real world"},"content":{"rendered":"

The best way to meet “squishy” security provisions in regulations like Sarbanes-Oxley is to match appropriate controls against anticipated threats and create a defensible case to support those decisions. Otherwise, enterprises risk devoting too few — or directing too many — resources to come into compliance, according to Paul Proctor, META Group’s vice president of security and risk strategies.<\/p>\n","protected":false},"excerpt":{"rendered":"

“Regulations recognize you can’t protect yourself from everything,” Proctor told delegates at Thursday’s Information Security Decisions conference.<\/p>\n

But, he acknowledged, their built-in flexibility also can work against an organization if controls aren’t mapped to a proactive, process-oriented security program based on an ongoing risk assessment.<\/p>\n

Corporate governance-oriented SOX, which holds public companies’ top executives accountable for internal data controls, is especially vague on security.<\/p>\n

The real deal with Sarbanes-Oxley: Perspectives for the security manager Delve below the surface and examine how SOX applies to the work done by the security manager.<\/p>\n

Companies that must meet multiple regulatory laws should find common denominators and then roll out a security program based on the general legal requirements, such as record-keeping, incident reporting and following best practices.<\/p>\n

Build a defensible case for anyone likely to challenge those controls, such as data owners and both internal and external auditors who ultimately decide who is and isn’t meeting security and privacy guidelines.<\/p>\n

http:\/\/searchsecurity.techtarget.com\/originalContent\/0,289142,sid14_gci1013875,00.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-65","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=65"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/65\/revisions"}],"predecessor-version":[{"id":2552,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/65\/revisions\/2552"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}