Your IT infrastructure needs more than hardware or software. If your IT landscape is big enough you already know that. The question how to tackle compliance management remains. What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture?
First of all, you need to know whats in your environment, what assets your organisation consists of. How do you want to protect something if you don’t know it exists? Also make sure you know where it is. Charting the access paths to data is not a trivial task. Then you need to know the risk appetite of your company. How much risk are you willing/required/legally allowed to take? This answer is very important for it directly influences the budget you need for security measures. And of course you need the appropriate tools for the job. Tools which allow you to focus on the security topic. The market is full of gadgets promising lots of features – all of which distract you from what you want to achieve.
It doesn’t matter if you approach compliance management because you have to do it or because you want to know about and identify the processes, assets, vulnerabilities and risks your organisation has to deal with. Either way it’s all about obtaining and managing knowledge properly. To put it in simpler terms: If you are worried about data loss, you have to know where your data is. Compliance management is very much the same, only on a bigger scope.
Adrian Wiesmann will address these questions by introducing the SOMAP.org project. The project offers tools to handle IT-Compliance aggregation and IT Security compliance management in general. It offers the benefit of being affordable if on a budget, and it pools the experience of many developers and security professionals into the tools itself. His talk is directed to auditors, CIOs, and everyone doing business in security administration.