|
Tracking, reporting and communicating compliance status to management is cumbersome and time consuming. The right tools to track and report compliance status will enable a pre-audit compliance team to be more productive by clearly communicating status and limiting duplicate effort.
The Federal Information Security Management Act (FISMA) is a federal law enacted in 2002 as Title III of the E-Government Act of 2002. Several implementations of FISMA exist, most notably within the NIST Special Publications http://csrc.nist.gov/groups/SMA/fisma/index.html.
I use FISMA throughout this example, but the methodology described herein can be applied to many areas of regulatory compliance.
There are plenty of regulatory compliance software solutions in the market. Many of these packages are great tools with built-in workflow, but many are not practical for small to medium businesses due to costs constraints or other obstacle. For this reason, it is imperative that business have a method to perform a self assessment to prepare for an audit.
Develop a Master Control Set
This may seem like an obvious step, but many organizations aren't familiar with the actual checklists they will be audited against. The first thing to do when beginning a compliance effort is to list the regulations, develop a spreadsheet of controls and begin a self assessment to the control sets.
NIST SP800-53 (PDF) does this particularly well, as each control is categorized into one of 17 categories (Access Control [AC], Awareness Training [AT], Contingency Planning [CP], etc…). Each of the 17 categories is further categorized into Managerial, Technical or Operational. This scheme lends itself to self assessment and reporting rather well.
I like the structure so much that I plug additional regulations into this format if I need to use them. For example, if you are performing a NIST 800-53 audit against a healthcare system, and the healthcare agency has one or two other sets of standards they must comply with, then I will integrate those standards into the 800-53 format. This produces a "Master Control Set" for the self-assessment.
Performing the Self Assessment
The NIST framework categorization described above allows the self assessment team to break controls into meaningful groups. Instead of handing a spreadsheet of 600+ controls to a co-worker to perform a self-assessment, it makes more sense to give them the group of controls that best pertain to their business unit. For example, an HR manager will likely not know much about facilities. Likewise the facilities manager will not understand all the HR policies and procedures.
When performing the self assessment, it is important to track all responses, documents and notes. Normally, I track answers to control text in the following columns:
| Control Text Number |
Control Text |
Control Clarifications |
Interview Comments |
Level of maturity |
| The control number (for tracking purposes) |
The full text of the control. |
Any clarifications about the control's purpose |
The comments made by the person being interviewed during the self assessment |
The level of maturity of the control (0-5) |
Since most of the self assessment will be performed via phone or personnel interviews, it will be imperative to track these comments for future reference. If a document is required to be compliant, make not of it here.
Level of maturity is a field I use to add detail and metrics reporting to the self assessment. An example level of maturity scale is:
| Level 0 |
Not Addressed |
| Level 1 |
Documented Policy |
| Level 2 |
Level1 + Documented Process |
| Level 3 |
Level2 + Documented Procedure |
| Level 4 |
Level3 + Tested and Reviewed Controls |
| Level 5 |
Level4 + Full Integration With Business Processes |
This gives the ability to have a scale of compliance, instead of a binary "yes" or "no". Normally, the agency or company will have a "minimum accepted level of maturity" associated with a level of maturity. Level 3 is the minimum accepted level of maturity in this example.
Reporting
Throughout the self assessment, status will need to be reported as to where the agency or company stands in terms of "audit-readiness". A set of these reports will go to upper management that may or may not have a full grasp on the scope of the effort. Other reports will be generated to line and project management. For this reason, several different reports will need to be created that will satisfy the needs of each report receiver.
The most difficult report I found to generate was the high level "balanced scorecard" on overall status of the effort. Most of the time, these reports go to executive management that 1) have little time to understand the full status but 2) need to "get it" in a very short amount of time.
The balanced scorecard below represents the culmination of the executive scorecard for reporting compliance. Each NIST category is represented on the left side of the chart. Across the top is level of maturity of each control within the NIST control family with Level 3 being compliant. As you can see, it is easy to see where the most work on controls will need to occur (Yellow, Orange and Red squares correlate to the percentage of controls in each category that are non-compliant). The right-most column is the percent of compliant items for that category.
Conclusion
The key to a successful pre-audit is understanding the regulations to which you need to comply, performing the self-assessment to those regulations and clearly reporting to management the status of the self-assessment. Following these key items will eliminate a majority of the headaches presented during an organizational-wide compliance effort.
Laconic Security designs solutions to meet your every security need, including regulatory compliance. Visit http://www.laconicsecurity.com/services.html for more information about our offerings.
|
