What are the advantages to having a Unified Compliance Framework of Infosec? And is this acceptable globally?

Security & GRC
3.5k views5 Comments
CISO in Software, 10,001+ employees
One of the advantages is the reduction of the costs, overhead, confusion and redundancy of multiple mappings from the same controls to numerous audits and certifications.
2
Principle Consultant in IT Services, Self-employed
I can see numerous benefits to a single compliance framework, like less audits, less confusion over the controls, less staff tracking all the different control sets. Though it would be nice, I am uncertain if there is a drive to get there. For example, PCI exists to save the credit card companies money, why would they care about what you do for the rest of your infrastructure? AND why do people implement PCI, only because they have to to process credit cards.
2
Senior Information Security Manager in Software, 501 - 1,000 employees
The benefit of a unified framework is that things are unified, no redundancy.

The downside is that not every can agree what that framework should be.

Sort of like Esperanto. Great idea in theory, just didn’t work in practice.

 

 
Chief Evangelist | Former Gartner Analyst | Former CISO in IT Services, 11 - 50 employees
Using a rationalized compliance framework (UCF is a specific commercial framework) is great for organizations with multiple attestation requirements. It allows you to attest/demonstrate controls once rather than multiple controls per underlying framework utilizing the mappings. If your requirement is certification, the value is reduced because the biggest challenge remains that there is no reliance /trust between frameworks and certifications. Ie ISO27001 certification can’t be relied on during SOC2 audits
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
UCF can be used as a starting point but organization has to follow the law of the land. 

Content you might like

Is there a disconnect between security leaders and the businesses they serve?

Security & GRCBoard EngagementInternal CXO Relationships

Yes, most security leaders.25%

Yes, some security leaders.61%

No10%

Not sure2%


360 PARTICIPANTS
1k views1 Comment

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
322 views1 Comment

What strategies are you currently using to minimize ransomware risks at your organization?

Security & GRCThreat & Vulnerability ManagementData Protection & Encryption

We've adopted a zero trust security approach.33%

Network segmentation / Air gapping networks51%

Implementing a cybersecurity framework like MITRE ATT&CK or NIST39%

Creating reliable and accessible backups44%

All of the Above19%

Other (please share below!)0%


556 PARTICIPANTS
2.2k views1 Upvote

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
46.6k views133 Upvotes324 Comments

Where do HR and other non-security/IT departments fit into your insider risk management strategy/program? What role do they currently play?

Security & GRCRisk ManagementThreat & Vulnerability Management+1 more
Read More Comments
4.6k views1 Upvote7 Comments