Addressing compliance in corporate security governance.

How to address the issue of compliance in Information Security.

We already mentioned in our page on Security Governance goals and objectives that it is important that your organization separates compliance management from security prioritization. In fact, we would like to remove compliance management from security management and make it an oversight function in corporate security governance completely. We have seen too many organizations that used compliance as a driving function for their information security and created a compliance culture instead of a security culture. As a result their information security became more expensive than necessary and a lot less effective at the same time.

Compliance as an audit function

Instead of integration compliance in your strategic security context, and complication your strategic security policies with lots of statements about compliance, we discuss how compliance should be implemented as an audit function. We also propose that any lack of compliance found in such a compliance audit should be addressed as part of your accountability structures and processes.

The security strategic context model that we discussed on a previous page, should ensure that your organization will have no real compliance issues when your organization has had sufficient time to institutionalize this model in its security governance. Hence, any compliance issues raised either means your security governance has not reached enough maturity yet, or that someone may not be doing his/her job. Hence, addressing such issues as part of an accountability feedback loop. Of course, it may also be that your compliance issue turns out to be not an issue at all. In that case, your compliance audit may need to be updated instead.

To develop a compliance audit function, your organization will need to develop a compliance audit policy. If your organization already has an extensive set of strategic and operational security policies that mention the different compliance issues, al you need to do for now is extract them from these policies and add them to your new compliance audit policy. If you don't have such policies, it might be useful to look at the web sites of your local universities. They may have their security policies publicly available and are likely to mention what local compliance issues they have addressed in these documents.

Now you have your first version of your compliance audit policy, you will need to extend it in a practical document that helps you identify what compliance issues your compliance audit will need to check for. You probably will be surprised how little practical advice there was in your organization's current security policies. In reality, most organizations rely on an external security audit to ensure that any compliance issues are detected. And, of course, while these external audits may, or may not, cover your organization's local compliance issues, they certainly do show that your organization is serious about it's duty of care.

Auditing your security audit.

External audits are often no more than security checklists. To ensure you manage your compliance properly your organization will need to do more than just have an independent auditor go through a security checklist. You will need to ensure that your organization regularly goes through a proper security audit that looks for changes in your IT infrastructure, security environment and regulatory requirements and identifies areas for future future improvement. Hence, your compliance audit function should include an audit of your security audit practices.

While it is important that your security audit function is independent from your security governance and security management, there is no doubt that most current external security auditors will not have enough knowledge of your internal security infrastructure to perform a proper security audit. While there is a role for external audits, there definitely is a need for your organization to develop an internal security audit capability. A comprehensive internal audit can, and should, cover a lot more ground than a simple external audit based on a checklist. To ensure that you adequately cover your compliance requirements, you will not only have to look at your internal security audit checklist for compliance with external standards and laws, you will also have to ensure that your internal audit does what a real audit is supposed to do