Dealing with Regulatory Compliance
Our experience indicates that most industries have to comply with a number of technology related laws, rules and regulations as part of their operations. The punitive nature of these regulations means that significant effort and resources are allocated to ensuring alignment with them. As these regulations are almost certainly not going to become any less onerous over time, a suitably flexible security framework is required to meet existing and future regulatory requirements.
Beyond the selection and deployment of controls, regulations are increasingly focused on ensuring that the controls actually do what they are supposed to. Some compliance requires point-in-time audits, but it is not inconceivable that regulations will move towards mandating continuous monitoring, as is increasingly being legislated in the United States (see, for example, FedRAMP and FISMA).
Things to consider
So, effectively regulatory compliance leaves us with two considerations:
1. Selection and deployment of controls. A vast number of controls can be selected, but we find that a more effective means towards security is to use an existing,mature framework. This offers a foundation for more robust, comprehensive and adaptable security. Security is never achieved overnight, and frameworks also allow for the better strategic alignment of security towards a coherent long-term goal.
2. Continuous monitoring of controls. Our experience shows that continuous monitoring is easier in some places than others. Unsurprisingly, cloud compliance is much simpler to achieve, with most major cloud providers offering native tools to assist with this. However, on-premise presents a different problem - one which can only effectively be solved with automation.
How we can help
At Basis Networks, we have experience with both Australian and international regulatory frameworks and the way in which the right technology solutions can make compliance easier. We can help you make sense of both selection and deployment of controls, as well as the ongoing measurement of their effectiveness and value. If you would like further information, please get in touch.