Few areas of technology are as contradictory as governance, risk and compliance. A company might do everything to be secure yet still not be in compliance.
For some, maintaining a focus on the governance, risk management and compliance (GRC) landscape is data security nirvana, the epitome of an ideally balanced data strategy. For others, it’s a maddingly frustrating and impossible task where conflicting geographic rules and industry standards make strict compliance untenable and the attempt counter-productive. Just to make life interesting, it turns out that both these perspectives have a semblance of truth.
The most popular suggestion for GRC compliance is to focus on the intent of regulators and standards bodies – most of which base almost everything on security and privacy best practices – and not the letter of their edicts. Many regulators, auditors and assessors are much more forgiving when they see that someone truly is trying to deliver a safe and secure environment and avoiding the checkbox mentality approach. That said, “many” does not equal “all,” which is why data security in 2017 is not for the faint of heart.
To read the full whitepaper, along with my comments on the topic, you can download direct from SC Magazine.
About the Author
Doug Barbin is a Principal at Schellman & Company, Inc. Doug leads all service delivery for the western US and is also oversees the firm-wide growth and execution for security assessment services including PCI, FedRAMP, and penetration testing. He has over 19 years of experience. A strong advocate for cloud computing assurance, Doug spends much of his time working with cloud computing companies has participated in various cloud working groups with the Cloud Security Alliance and PCI Security Standards Council among others.More Content by Douglas Barbin