1. Compliance Challenges in Information
Security
Addressing the pain points…
Manasdeep
(manasdeeps@gmail.com)
2. #whoami
• Information Security Consultant
• Interested in Compliance and Penetration Testing
• Have a flair in writing for Information Security
• Like to learn and demonstrate latest security attack
vectors and technologies
• Active participant and volunteer in various information
security communities
3. Agenda
• Why an organization need to comply?
• Compliance challenges in IT based Organizations – Overview
• Infrastructure Challenges and Solutions
• Process challenges and Solutions
• People challenges and Solutions
• How does it help me?
• Takeaways
4. Why does an organization needs to comply?
• Helps it to remain compliant with federal and state laws for
its proper smooth functioning as legal entity
• When employees are trained in compliance, they are more
likely to recognize and report illegal or unethical activity.
• Help organization to avoid waste, fraud, abuse,
discrimination, and other practices that disrupt operations
and put company at risk.
• Can help prevent major disasters and failures.
5. How to determine organization compliance scope?
Geographical presence of Organization
• Country specific regulations
• Central laws
• State laws
Operating Industry sector of Organization
• Sector specific regulations
• Sector specific Standards
Manpower Size of Organization
• Central labor laws
• State Labor laws
• Safety Regulations
Legal entity of Organization
• Public listed
• Privately owned
• Trusts / NGO / Community based
9. Addressing Compliance Challenges
To make the organization imbibe the change by aligning with security standard,
regulation or a internal security policy change is by means no small feat.
The following areas need special focus to make sure the organization is ready for
change as per the compliance requirement. These areas are the most stick ones
which have tendency to resist change from an established running norm in
company. These are as follows:
• Overhaul of Infrastructure
• Overhaul of Process
• Overhaul of People
However, once these are well in place, the transition is much smoother and better
from existing norms running in company
Our Aim is here to make these moving parts of organization to take in the view that
changes in Security Compliance are for the better and it acts as a catalyst in
organization growth as a whole. It doesn’t stifle its growth as it is commonly
perceived.
Bottom Line Objective:
10. Compliance Challenges - Infrastructure
Lack of Senior management buy-in, commitment and support
• Create cost /benefit analysis charts which show investment and ROI
• Jointly define and agree on value of IT infrastructure investment and its
ROI.
• Make proper business case to justify purchase and its benefit post
deployment
• Keep simple language free from jargon words
Difficulty in getting required business participation
• Highlight pain points and how they can be overcome by active
involvement
• Create forums for business participations
Lack of insight with IT management
• Put a robust procurement process in place with proper approvals
• Establish Links with Finance and procurement process
• Appoint relationship managers for better insight in IT management
11. Compliance Challenges - Process
High level of complexity hinderance to bring a change
• Break down a complex task into simple modular bits
• Do a phase-wise implementation of improved process
• Remove duplicate processes and enable stepwise milestone completion
Inability to gain support for improvements
• Brainstorming sessions with stakeholders to get 360 degree process
flow view
• Use jargon free language and present in simple step-wise manner
• Establish proper change enablement strategy and communication plan
Cost of improvements outweighing perceived benefits
• Bring in standardized processes for easier rollout
• Establish frameworks for long term gain for process efficiency
• Prioritize processes based on ready benefits and ease of
implementation for quick wins
12. Compliance Challenges - People
Lack of required skill set and competencies
• Develop, train, coach the champions first
• Use champions as agents of change nurturing them as mentors
• Cross train in various departments each other
Overcoming the barrier for Resistance to change
• Awareness trainings with proper rewards mechanisms
• Selecting champions as agents of change to bring gradual change in
system
• Follow-up on pre-decided milestones
• Focused awareness trainings on addressing pain points
Lack of trust and good relationship with management
• Identify risks and benefits to be gained w.r.t. proposed improvements
• Establish formal process for accountability in decision making
• Focus on business interfaces and service mentality
• Foster open and transparent communication about performance
• Formalize roles and responsibilities among business units with clear
segregation of duties