ISACA Journal - 2013 Volume 6

Regulatory compliance continues to grow and is here to stay. As big corporations come to terms with the new realities of compliance, their response to noncompliant vendors will be ruthless. Enterprises that want or have big corporations as clients must include compliance as an integral part of their business model. The challenge is to integrate it without losing their agile service and cost-effective structure.

NIST SP 800-53, 1 an information security model developed by the US National Institute of Standards and Technology (NIST), can be a useful guide for service providers to build their security posture.

Security breaches, and the fundamental flaws they bring to light, are becoming more numerous and more complicated with each passing year.

Each technological advancement brings new security vulnerabilities in its wake, and many, after following a tortuous path, end with a regulatory requirement in one form or another. While interpreting, assessing and complying with these regulatory requirements are huge hurdles for big organizations, they present an especially daunting challenge for the small and medium-sized firms that find themselves increasingly in the path of regulatory maelstroms with the potential to bring their business to a halt.

The Internet empowered entrepreneurs in ways
unthinkable a mere decade ago. An innovator
could, while sitting in Utah with three part-time
employees (if that many), create a unique service
that big corporations would beat a path to his/
her (virtual) door to use. The giant companies
see opportunities to leverage the tools created by
these tech entrepreneurs to enrich their offerings
to their customers. Today, the big banks (or
manufacturers, retailers and others) use hundreds,
if not thousands, of such small companies to keep
their supply chain lubricated. Often, these services
are white-labeled, meaning they are offered in the
big corporation’s name. A logistics company uses
a web service that automatically overlays delivery
addresses on a map for each of its 11,000 drivers,
for example. Or, a bank uses a web service that
connects securely and confidentially to millions of
businesses with which the bank’s customers want
to transact. Or, a doctor’s office uses a web service
that tracks all of its insurance payments in process
and sends an alert when there is a problem.

Different innovators and different solutions that have two common threads:

1. These disruptive technology solutions are light on footprint and heavy on innovation and value-addition.

2. They are very inexpensive. For example, the logistics company may pay pennies per truck per day, saving more than 60 minutes of the driver’s time each day.

THE PROBLEM

Everything seems to be working well and everybody seems to be happy. The problem, however, is that third-party vendors receive, transmit, store and/or process—on the big corporation’s (i.e., client’s) behalf—information that is subject to many different regulatory controls, and the corporation is required to prove that such data are secure across the entire supply chain and not just inside its corporate walls.

Based on the vendor’s role in the corporation’s supply chain, the vendor may be low, medium or high on the risk scale of the organization, and its compliance machinery starts cranking accordingly. A questionnaire with 200 to 400 questions or controls is sent to the vendor every one or two years, and the questions/controls are at a level of detail that the vendor has never thought of, let alone designed to, while developing the product or service.

The firm’s owners instinctively know that to support these requirements, they will have to build a large organization (that they do not need otherwise) and the key value proposition, “pennies per day per truck,” will evaporate.

Buck Kulkarni, CISA, CGEIT, PgMP, is the founder and president of GRCBUS Inc., a technology governance and outsourcing consulting firm based in New Jersey, USA.

GRCBUS’s solutions leverage COBIT® as the overarching governance framework, supported by SEI, I TIL, PMBo K, ISO and NIST frameworks in their respective domains. This enables its customers to balance the technology performance expectations (service delivery, innovation and business alignment) with technology conformance mandates (risk, security, regulatory compliance and audits) in a unified, cost-efficient and sustainable manner.

A Sustainable and Efficient Way to Meet
Clients’ Growing Security Expectations
Achieving Holistic Security Compliance With NIST SP 800-53
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.