Site Menu

Point in Time vs. Continuous Compliance

By Jim Hietala
Published 02/26/2009

Rich Mogull pretty well nails the problem with respect to some of the recent breaches in the retail area. I couldn't have said it better.

In a previous life with an IT-GRC vendor, we played around with messaging that described "continuous compliance", vs. "point in time compliance". The idea being that as soon as the (audit/regulators visit) is done, compliance starts degrading as things change in the business (new IT infrastructure is added, staff come and go, business units are bought/sold, and on and on). Lots of people identified with the reality that the compliance posture starts degrading as soon as the auditors leave the building. The compliance posture tends to only start improving towards "being in compliance" as the next audit draws near. But, it turns out "continuous compliance" as a marketing message for an IT-GRC vendor went over about like "continuous root canal" might for a dentist.

I think where we need to get to is assuring a continuous state of security controls (proscribed in this case by the PCI SSC). Not easy for technical controls (although The Open Group is working on a standard that may help in this area, details are here.) Very difficult for administrative and process controls that have to be assessed periodically by a questionnaire process.

Coming back to the folks writing the standards and regulations, they have this conundrum. There's probably only so much pain they can inflict upon those affected by the regs. and standards. Increasing the frequency of audits helps, but increases the burden on affected entities.

Jim

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com

Spread The Word

1 Response to "Point in Time vs. Continuous Compliance"

Phil

said this on 14 Apr 2009 8:49:27 AM EDT

Jim, It is interesting to me that so much time is given to security, while compliance is often viewed as a necessary evil. Compliance is often expensive, and that expense can either be an investment in improved security or simply the cost of checking a box on an auditor's checklist. I appreciate your giving compliance some air time and helping folks to understand how to make it an investment rather than a cost of doing business. Best wishes for your business. Thanks, Phil CIO http://www.TechnologyProfessional.Org

(Reply to this comment)