A Tough ChallengeBy Keith Payne | Posted 2012-04-20 Email Print
Javitch, Block & Rathbone separated information systems security compliance from its legal compliance department, and the two departments now work hand in hand.
A Tough Challenge
I’m a one-person information security department, but I lead and manage IS compliance for the firm as a whole, as well as for each area of practice that has its own overlapping and unique governance and operations. Add the need, at least to some extent, to manage them independently of each other, and it’s a real challenge.
Since legal compliance is an integral core competency of our firm, we determined that IS security compliance needed to be separated from the legal compliance department and become an independently managed system. The newly formed information security department was designed to complement and work hand in hand with the firm’s legal compliance function.
To accomplish this, we developed an Information Security Management System (ISMS) based on ISO 27001. The governing committee managing the system consists of a managing partner of the firm, the director of information development, the director of information technology and the chief operations officer. I chaired the committee.
The first order of business involved organization. The legal compliance department clarified which governing laws, regulations and contractual obligations drove our business, and the committee began a discovery process to consolidate the volumes of policies and procedures related to information security.
We found the solution in LockPath’s Keylight Governance, Risk and Compliance (GRC) platform, which was customizable and scalable to meet our needs, as well as the needs of the financial industries we service. We chose the program as a software as a service (SaaS) to minimize the impact on our technology infrastructure.
The GRC platform provided the committee and legal compliance with a clear view of the size of our regulatory obligations. When we took all the controls identified individually, we found the compliance task to be extensive. Attempting to manually identify overlaps and ensure compliance was unmanageable.
The platform’s integration with the Unified Compliance Framework (UCF) content provided us with a means to eliminate the duplication and overlapping of the controls under which we operate. We immediately experienced a 60 percent reduction in the total number of controls required to be implemented in order to be compliant with the regulations that govern our work. This cleaner view of the scope enabled us to streamline the policy and procedures by focusing on what truly added value to our ISMS.
Once we had a solid base of obligations on which to build, I, as the committee chair, began working on discovering the assets that housed and processed the information. We deployed the open-source utility Nmap to inventory the entire network, along with the Nessus vulnerability scanner to determine the configurations and provide vulnerability analysis of our network’s security posture. These tools were fed directly into the GRC platform, allowing me to effectively manage cleaning up systems and, in some cases, to remove obsolete or highly vulnerable systems.