Published: 26 November 2019
Summary
The widespread belief that being compliant also means being secure is incorrect, as one does not necessarily ensure the other. This research provides five compliance questions that I&O leaders can ask CISO and five security questions to ask the CCO or auditor to ensure both compliance and security.
Included in Full Research
- Incorporate the Needs of Compliance and Security in Your Strategy
- Ask the CISO Five Questions to Determine If an Endpoint Is Secure
- 1. How Often Do Your Team Members Coordinate With Their Counterparts in Compliance and I&O?
- 2. Who Verifies That the Products, Services and Components Selected, Implemented and Built Meet Compliance Requirements?
- 3. Are You Communicating Compliance Review Resource Requirements? Have You Estimated Time Into Your Projects to Allow Proper Reviews of Compliance and Security?
- 4. Who Is Periodically Comparing the Letter of the Law and the Actual Compliance Directives With the Dynamics of the Security Landscape?
- 5. What Is Our Current Exposure to Data Leakage?
- Ask the CCO Five Questions to Determine If the Environment Is Compliant
- 1. When Was the Last Time You Coordinated With the CISO and the Security Teams?
- 2. How Is Accountability Built Into Our Compliance Reviews to Ensure That All Stakeholders in a Project Have Communicated About Security?
- 3. How Do Our Key Performance Indicators Account for Security?
- 4. How Does the Organization’s Use of Compensating Controls Address Security Gaps in a Manageable Way?
- 5. How Will Our Compliance Framework Prevent Passing a System That Contains Major Security Errors?