Monday, August 22, 2011

Compliance for the Masses - Simplified Models

This functional illustration shows how standards and regulations correlate with specific requirements, policies, controls, and audit points. I created a version of this illustration for a group of RSA SEs learning Archer as a way to quickly bridge the gap between authority documents (standards and regulations) and audits while keeping important details.

Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?

This is a simple compliance model. There is a different model and view of security of which this becomes a component.

PCI-DSS Example
  • Authority: PCI-DSS is the authority document created by the PCI-SSC.
  • Requirement: (10.6) Review logs for all system components at least daily.
  • Policy: Monitoring Policy – States logs will be reviewed at least daily.
  • Control: RSA enVision provides real-time monitoring for all system components.
  • Audit: Auditor verifies RSA enVision is appropriately monitoring and alerting to actionable events. Audit results and evidence are stored as part of the audit.

Authorities to Audits