A large number of security compliance policies and strategies are filled with absurd commands.
Compliance is certainty a boring topic in the cybersecurity space. Honestly, to many, there is nothing to get eager about as users consider it as a tick-box exercise. No matter whatever compliance regulation is talked about, everybody gets a collective call out from the organizations while implementing.
In many cases, compliance requirements are found being poorly written – making it confusing and vague. Basically, the misperception around compliance mostly comes from the documentation. It is no surprise that businesses are struggling, particularly when they have to comply with multiple requirements at the same time.
For instance, ISO 27001 – the goal of the information security standard is to advance businesses’ data security management. It includes commands like “define a security policy”, “manage identified risks”, and “conduct a risk assessment” in its process. The specifications for such commands are needlessly subjective and awfully vague.
Similarly, the Gramm-Leach-Bliley Act (GLBA) involves US financial institutions to clarify information and data sharing practices to their users. It indicates that financial companies need to create a written information security strategy. However, the policy does not provide any instruction on how to attain that.
Understandably, drafting security compliance requirements for such a broad audience is a tricky task. Undoubtedly, it needs to be related to all businesses in a particular field – despite the fact each of them will have differences in their way of conducting trade, setting up technological infrastructure.
Moreover, writers are always working alongside the clock with the compliance requirements. Today, IT norms and regulations are rapidly evolving, and the requirements drafted today could be obsolete tomorrow!
They need to be clear, structured, as well as regularly updated in order to avoid confusion among people. Especially information related to data protection should be precise, understandable, and implementable.
Clearly, organizations need to realize that any compliance mandate aims to keep data secure – allowing access only to those who require it for business purposes. Hence, compliance is crucial for data storage, access management, and file auditing.
Getting these aspects right can help in demonstrating a company’s willingness to comply. But clearly, more clarity and less complexity will go long way in enabling the best leverage of security compliances.