Unsurprisingly, I agree with Sheldon.
The problem companies are having is that the number of regulations and
best practices that they have to conform to is exploding. Just think
if you are a public company in California that processes health care
information that has customers and partially-owned public subsidiaries
in Europe, Japan and Canada. So that organization and its
subsidiaries have to comply with SOX, CSOX, JSOX. EuroSOX (in the
future), HIPAA, California AB 1298 (health information data breach),
California SB 1386 (data breach), and European privacy laws. Then you
choose ITIL for service management and Cobit (or ISO) for your info
security framework. And that is not counting the new Federal Rules of
Civil Procedures changes for e-discovery, if you happened to be part
of several lawsuits at the same time. If a company had dedicated
internal audit teams and used different standards and processes for
each of these, the cost would be (and frequently is) enormous and
growing.
That is why having common controls mapped to these various items makes
sense for your internal audits to give proof of compliance to your
external auditors. You can also know if you have a control called
"password length" that one technical check can apply for many
different regulations and best practices so you don't have to tie up
your systems and networks by checking this multiple times for multiple
internal compliance groups.
W. Lee Schexnaider, CISSP
Sr. Engineer – Compliance Content Developer
Symantec Corporation
www.symantec.com
-----------------------------------------------------
Office: 713.561.4111
5151 San Felipe
Houston, Texas 77056
Email: lee_schexnaider@symantec.com
-----------------------------------------------------
On Tue, Feb 26, 2008 at 12:35 PM, Sheldon Malm <smalm@ncircle.com> wrote:
I'm not going to get into a debate with you on this - simply stating
that the preparation for audits is very different than the execution of
audits. For the record, my working for a vendor in this space has
nothing to do with my opinion. I spent nearly a decade with a Fortune
500, and used the same approach very effectively on the customer side.
There is sufficient overlap in the preparation stages for different
standards that it makes sense to tag atomic items (controls) if they are
included in multiple standards for reuse. This is really no different
than a platform like .NET making reusable services available to multiple
programs. Where the controls are identical, it makes no sense to do
them separately and at multiple times by multiple people simply because
they fall into different, higher-order standards.
Cheers.
Sheldon Malm
Director
Security Research & Development
nCircle Network Security
Check out the VERT daily post
http://blog.ncircle.com/vert
-----Original Message-----
From: Craig Wright [mailto:Craig.Wright@bdo.com.au]
Sent: Tuesday, February 26, 2008 1:14 PM
To: Sheldon Malm; Craig Wright; PCSC Information Services; p1g; Jason P.
Rusch
Cc: security-basics@securityfocus.com
Subject: RE: ISO 27001 mapping to PCI
Well you are marketing a product So I would expect Such a response.
The reality is that this approach is BS. Any organisation that I have
seen doing this Fails @ least one if not both.
Different systems have Separate requirements. You Can make an ISO
27001/2 ISMS for a PCI system -but it will not apply elsewhere and is
more work then Completing each one at a time.
Craig (GSE-Compliance,G7799,GPCI...)
