With the growing number of regulations to worry about, many organizations can benefit from developing a comprehensive InfoSec framework.
PCI. HIPAA. GDPR. Russia’s data privacy law. These are just a few of the regulations/standards (‘regulation’ from now on) that exist. Complying with each regulation can easily become a complicated process, requiring a substantial amount of time & resources.
To address this, organizations would do well to consider adopting a comprehensive security framework.
A comprehensive framework combines all of the regulations into one corporate policy. Frameworks like NIST CSF and NIST 800–53 are great ways to start. They contain many policies & controls that are directly mapped to a myriad of regulations. Your org can take and, without too much difficulty, adopt NIST’s policy framework to your company.
Thankfully, most regulations are roughly similar — conduct regular firewall reviews, have appropriate identity & access management processes, have anti-virus installed on devices, etc. So, the process of creating a comprehensive framework may be easier than most think.
Because all of the regulations are encapsulated in a single set of corporate policies, employees (including your security team) only need to worry about complying with one set of rules (as opposed to a myriad of them).
This reduces confusion, reduces complexity and makes life generally easier for everyone involved.
This week’s article is pretty short and straightforward. I’ve assisted with this process at a multinational organization, and there’s not much more to say unless you begin the process. If you have any questions, feel free to reach out to me!