Information Security & Multi-Compliance: Avoiding Audit Fatigue with a Single IT Compliance Strategy

White Paper Published By: Tripwire

It's common for information security managers to be held responsible for situations where they have little control or influence in the rest of the organization. This Prescriptive Guide outlines the steps information security managers can take to break the compliance blame cycle and build an information security program that works. It also describes how they can achieve alignment among all stakeholders so that information security and compliance activities become integrated into daily business operations.

Tags :

tripwire, information security, audit fatigue, compliance, security risk, auditing, risk management, information management

Published:	Dec 16, 2009
Type:	White Paper
Length:	19 pages

PRESCRIPTIVE
GUIDESERIES
Information Security
and
Multi-Compliance: Avoiding Audit Fatigue with a
Single IT Compliance Strategy
By Gene Kim CTO, Tripwire, Inc. & Jennifer Bayuk Cybersecurity Program Director, Stevens Institute of Technology
Configuration Control for A TACTICAL GUIDE ENABLING YOU TO TAKEVirtual and Physical IT Infrastructures ACTION AND ACHIEVE OPERATIONAL EXCELLENCE.PPRREESSCCRRIIPPTTIIVVEE GGUUIIDDEE:: FMISUMLTAI-COMPLIANCE
TABLE OF CONTENTS
Executive Summary. 4
Information Security Management's Dilemma. 5
Nine Steps to Building An Information Security Compliance Program that Works. 6
Terminology Used in This Document. 8
Step 1: Align with the tone at the top . 9
Step 2: Create a set of merged information security and compliance/business goals . 9
Step 3: Define ideal information security goal indicators. 11
Efficiently Using Change and Configuration Controls to Meet Business Process Goals. 11
Efficiently Using Access Controls to Meet Business Process Goals. . . . . . . . . . . . . . . . . . . . . . . . . . 11
Step 4: Gain an end-to-end understanding of information flow. 12
Step 5: Agree upon control ownership, roles and responsibilities. 13
Step 6: Define the control tests so business process control owners will agree with the results. 14
Step 7: Schedule and conduct regular control tests. 15
Step 8: Organize metrics and remediation reports. 15
Step 9: Detect and respond to significant changes to the control environment. . 16
The Role of Tripwire Enterprise in the Nine Steps. 17
Moving from Crisis Management to Routine Preparation. 17
Addendum To Step 3: Contrasting Approaches To Controlling Change And Access. 18
Meeting Management Objectives for Change Controls. 18
Meeting Management Objectives for Access Controls. 19
About the Authors. 20
Tripwire software has been recommended, endorsed and/or certified by these agencies.
Š2009 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All oPthaerg pero 3duct and company names are property of their respective owners. All rights reserved.Executive SummaryExperienced managers typically do not want to be held accountable for situations where they have little control or influence. However, this is not an unusual scenario for information security managers. It happens every time they are held responsible for failed results of a compliance audit, even though they had tried to close decisively security implementation gaps that would have led to a more successful outcome.
This situation typically occurs because business process owners and information technology (IT) manage-ment often view information security as a distraction from "real work." Furthermore, information security managers often discover too late that business and IT management were not as prepared for the audits as was represented, resulting in last-minute, but often inadequate, emergency preparation work. As a result, busi-ness stakeholders, IT, and information securit... [download for more]

Browse Technology Topics

Data Center Virtualization, Cloud Computing, Infrastructure, Design and Facilities... more, Power and Cooling, Green Computing less		Data Management Application Integration, Analytical Applications, Business Intelligence... more, Configuration Management, Database Development, Data Integration, Data Mining, Data Protection, Data Quality, Data Replication, Database Security, EDI, SOAP, Service Oriented Architecture, Web Service Management, Data Warehousing less
Electronics Analog Communications, Digital Signal Processing, Electronic Design Automation... more, System On A Chip, Electronic Test and Measurement, Embedded Design, Boards & Modules, Embedded Systems and Networking, Electromechanical & Mechanical, Optoelectonics & Displays, Packaging and Interconnects, Passive & Discrete Components, Power Sources & Conditioning Devices, Integrated Circuits and Semiconductors, Sensors & Actuators less		Enterprise Applications Application Integration, Application Performance Management... more, Best Practices, Business Activity Monitoring, Business Analytics, Business Integration, Business Intelligence, Business Management, Business Metrics, Business Process Automation, Business Process Management, Call Center Management, Call Center Software, Change Management, Corporate Governance, Customer Interaction Service, Customer Relationship Management, Customer Satisfaction, Customer Service, EBusiness, Enterprise Resource Planning, Enterprise Software, EProcurement, Extranets, Groupware Workflow, HIPAA Compliance, IP Faxing, IT Spending, Marketing Automation, Performance Testing, Product Lifecycle Management, Project Management, Return On Investment, Risk Management, Sales & Marketing Software, Sales Automation, Server Virtualization, Simulation Software, Supply Chain Management, System Management Software, Total Cost of Ownership, Video Conferencing, Voice Recognition, Voice Over IP, Workforce Management, Incentive Compensation, Spend Management, Manufacturing Execution Systems, International Computing less
Human Resource Technology Human Resources Services, Payroll Software, Time and Attendance Software... more, Workforce Management Software, Financial Management, Employee Monitoring Software, Employee Training Software, Recruiting Software/Services, Employee Performance Management, ELearning, Benefits Management, Expense Management less		IT Career Advancement Cisco Certification, Microsoft Certification, Linux Certification... more, Network Security Certification, Software Development Certification less
IT Management Employee Performance, ITIL, Productivity, Project Management... more, Software Compliance, Sarbanes Oxley Compliance, Service Management, Desktop Management less		Knowledge Management Collaboration, Collaborative Commerce, Contact Management... more, Content Delivery, Content Integration, Content Management System, Corporate Portals, Customer Experience Management, Document Management, Information Management, Intranets, Messaging, Records Management, Search And Retrieval, Search Engines, Secure Content Management, SLA less
Networking Active Directory, Bandwidth Management, Convergence, Distributed Computing... more, Ethernet Networking, Fibre Channel, Gigabit Networking, Governance, Grid Computing, Infrastructure, Internetworking Hardware, Interoperability, IP Networks, IP Telephony, Local Area Networking, Load Balancing, Migration, Monitoring, Network Architecture, Network Management, Network Performance, Network Performance Management, Network Provisioning, Network Security, OLAP, Optical Networking, Quality Of Service, Remote Access, Remote Network Management, Server Hardware, Servers, Small Business Networks, TCP/IP Protocol, Test And Measurement, Traffic Management, Tunneling, Utility Computing, VPN, Wide Area Networks, Green Computing, Cloud Computing, Power and Cooling, Data Center Design and Management, Colocation and Web Hosting less		Platforms AS/400, Domino, Linux, Microsoft Exchange, Oracle, PeopleSoft... more, SAP, Siebel, Solaris, Tivoli, Unix, Web Sphere, Windows, Windows Server less
Security Access Control, Anti Spam, Anti Spyware, Anti Virus, Application Security... more, Auditing, Authentication, Biometrics, Business Continuity, Compliance, DDoS, Disaster Recovery, Email Security, Encryption, Firewalls, Hacker Detection, High Availability, Identity Management, Internet Security, Intrusion Detection, Intrusion Prevention, IPSec, Network Security Appliance, Password Management, Patch Management, Phishing, PKI, Policy Based Management, Security Management, Security Policies, Single Sign On, SSL, Secure Instant Messaging, Web Service Security, PCI Compliance, Vulnerability Management less		Software Development .NET, C++, Database Development, Java, Middleware, Open Source... more, Software Outsourcing, Quality Assurance, Scripting, SOAP, Software Testing, Visual Basic, Web Development, Web Services, Web Service Security, XML less
Storage Backup And Recovery, Blade Servers, Clustering, IP Storage... more, ISCSI, Network Attached Storage, RAID, Storage Area Networks, Storage Management, Storage Virtualization, Email Archiving, Data Deduplication less		Wireless 802.11, Bluetooth, CDMA, GPS, Mobile Computing, Mobile Data Systems... more, Mobile Workers, PDA, RFID, Smart Phones, WiFi, Wireless Application Software, Wireless Communications, Wireless Hardware, Wireless Infrastructure, Wireless Messaging, Wireless Phones, Wireless Security, Wireless Service Providers, WLAN less