Hi,
The compliance must be addressed on more level of abstraction, depending on the company roles that have to analyze the compliance results.
It must be clear the goal, for each function in the company. Tipically the roles involved are:
- CxO
- Security Management
- Operations
The following elements must be addressed in the Compliance Program:
a) the definition of processes regarding compliance activities
Figure
b) the actual mapping to and from
. Regulation (Privacy, SOX, PCI, etc)
. Internal Policy (Information Security Policy, regulation specific, etc)
. Baseline (SOX for Windows, PCI for Unix, etc)
. Control Set (actual control to be configured on the enterprise compliance tool)
Figure
c) the Remediation (in terms of strategy and practical tasks)
d) the Reporting (one of the most important tasks), to be performed at each of the 3 level:
. Policy Compliance (for CxO, generally) in order to assess the overall actual level of compliance to the specific regulation
. Baseline (for Security Management) in order to describe some more details, showing the effectiveness of the security infrasctructure in place
. Control Sets (for Operations) in order to show the specific level of effectiveness of each practical control
I work for a famous vendor.
We have some products about compliance and we use to develop some add-ons (taylored to the customer specific requests) in order to accomplish b) and d)
Obviously, there must a methodology for addressing compliance, not based on the products. It must be based on the elements I wrote before
The goodness of the tool stands in the capabilities of help in the implementation of the compliance program