Companies face multiple security-related regulations. 492
lekatis last edited by
There are so many things to do, and so many constraints. We do not have the budget and the resources to do everything each regulation demands. Even if we have the budget, we must maintain security during ever-changing technical environments, try to find experts who are really experts, try to understand the not so well defined best practices
We have to be very careful.
The best to do: Scalable risk assessments performed on a regular basis. To choose security controls that are defined, documented, and tested, so that they demonstrate accountability and transparency. Controls must be mapped to COSO, COBIT, or ISO frameworks. W
e must try to understand not only Sox, but every other regulation, and try to find a common road to all.