RSA’s Compliance Scorecard is intended to help organizations unravel the multiple frameworks and regulations impacting their business, according to the specificities of their vertical sector, their geography and their size.
It helps map regulatory needs to key IT control and to identify the specific information security measures that would provide reasonable and appropriate controls for data protection and security.
From an information security perspective, regulatory compliance is about protecting and managing digital assets. Areas of risk management, authentication, access control, data protection, logging and reporting can all be considered as part of an evaluation and assessment process using the scorecard.
Organizations need to understand what regulations they need to adhere to, and what control frameworks to adopt but many of these are self-referential, and some are out-dated Jeff Loeb, director of product marketing at RSA Security, said.
It is a losing approach to compliance to unpick regulation after regulation he argued, there are too many and it can not be done sequentially. What is needed is a set of controls that constitute a framework of best practice for ongoing compliance. The scorecard is provided as a starting point to establishing that framework.
The idea is that many regulations share common fundamental security requirements such as verifying identities, allowing only authorized access to information or providing reliable audit reports, the company said. Once the system has been used to explore the compliance requirements of an organization, an executive is guided through a strategy evaluation and onto an appraisal of the resources needed to drive the compliance strategy.
Loeb says the company has developed 63 best practice processes derived from industry accepted frameworks such as COBIT, NIST 800-53, ISO 17799, FFIEC and other controls and standards. The system summarizes key global regulations, control frameworks and information security best practices, identifies information security competency gaps and then creates a customized report that highlights gaps and opportunities for key stakeholders and management, he said.
The scorecard can also be used to assess the maturity of an organization’s stance of its capabilities on compliance, with reference to its information security posture. Guidance is given on the reasonable and appropriate controls that would then be needed to move from a position of being ‘at risk’ to ‘basic’ cover, or from the status of ‘common practice’ to one of ‘best practice’, depending on the deployment of access, authentication and data reporting tools and the compliance requirements set down in by the strategy evaluation.
RSA no doubt hopes the system will help drive sales of its products, but it says its approach should certainly ensure that information security regulations are comprehensively met on an ongoing basis, at the lowest cost to the business. Loeb said the scorecard is available free-of-charge to RSA customers and prospects.
