Most administrators and managers release a collective growl in response to discussions regarding compliance management. Achieving Sarbanes-Oxley, ISO 27001, COBIT, HIPAA, and other compliance levels are great goals and requirements for some, but the fact is that most organizations simply do not have the time to dedicate the resources to deliver an accurate assessment. While there are many tools that can address the technology aspects of compliance, not all offer a comprehensive approach to scoring all factors.
Recently, I had an opportunity to work with the Modulo Risk Manager platform. I was impressed by its ability to deliver a security index score based on a comprehensive approach that actually starts at the top with business process and proceeds with a top-down approach from the process. From here, specific technologies, staff, facilities, and controls are integrated to provide a comprehensive knowledge base that spans over 11,000 controls, 4200 data collectors, and 250 checklists.
Let’s take a look at a specific example of a risk assessment of the chief financial officer (CFO) for an organization. Within Risk Manager, there are 24 controls that assess and score this particular person within an organization’s assessment. For the CFO, this focuses on management priorities that are made available to the organization. Figure A shows some of the controls for the CFO:
These controls can be applied to many areas of the organization, and then collectively pulled together to gauge compliance within the selected regulatory frameworks applicable. The controls are available for many people within an organization, facilities such as a datacenter, computer assets such as servers and the processes such as change management. Within each object, the controls are specific to the object. For example, a Microsoft Windows Server 2003 server has 355 controls, a Microsoft SQL Server 2005 system has 116 and a Solaris server has 134 controls. The functional structure is configurable to the organization and all of these factors roll into the compliance project to apply to the specific framework. Further, the data can even be displayed on a map for a high altitude view for a large organization with many geographic locations.
By allowing the compliance assessment to span more than just the technology, organizations will be better equipped for overall compliance. And the business process is the core to this approach, as well as being a cornerstone to most successful organizations.