I participate in the Focus network and tried to answer the following question from “Caty” on their discussion board:
“How can compliance automation help secure my organization’s IT infrastructure?” Please describe the benefits of compliance automation and discuss how it can be used to secure an organization’s IT infrastructure.
However, after trying to submit my response in around half a dozen ways, I was told my answer was too long. Instead of shaving off some of my content, I decided to post to my blog, and then point to here from there. Perhaps my other blog readers will be interested in my thoughts on this topic as well.
So, here is my answer…
There are many ways in which automation, in general, can benefit a business. And certainly, with regard to information security and privacy compliance (not to mention all the other types of compliance responsibilities that exist within every organization), automation, used by folks with knowledge of the business coupled with information security and privacy experience and understanding, can also help improve security and compliance in significant ways.
However, used incorrectly or with lack of understanding of information security risks and appropriate corresponding mitigation actions, automation can prolong security problems and even downgrade good security to poor and even disastrous security.
You can never take the human factor completely out of information security and privacy compliance activities to see real information security improvements; decisions for how to use the tools will always require sound reasoning and practical judgment calls.
I’ve been doing information security and privacy compliance work for over two decades, and I’ve seen about every type of “compliance automation” tool out there…the good, the bad and the ugly.
As time progresses, technology advances, and new laws and regulations are enacted, this view of the compliance automation tools remains steadfast. There are still vendors hawking the good, the bad, and the downright ugly dangerous, where security is concerned.
Different organizations will realize different benefits, and subsequently improved security, from automation tools based upon a number of factors, including
1) their size;
2) the industry and associated customers/clients;
3) their geographic locations;
4) the expertise/understanding maturity level of their staff who must use the tools; and
5) the level of maturity of the organization’s information security program itself.
Some compliance automation tools can greatly enhance the security posture within small organizations with limited human resources in many ways. For example, by providing the tasks and framework necessary for them to follow to ensure they do not overlook something important as a result of little time and expertise.
Some compliance automation tools can greatly enhance the security posture of medium and large organizations that have complex systems, networks and applications, and/or that are scattered across multiple geographic locations. Automation can keep complexity manageable, giving security pros insights into their security posture that they would not otherwise be able to determine on their own.
Good, effective compliance automation tools can also help all information security in all types of businesses by:
1) Collecting huge amounts of data and more quickly synthesizing that data into meaningful reports about security risks in ways that would be hard to impossible to accomplish through the use of one or more sets of human eyes alone.
2) Logging activities that support compliance requirements that also reveal security incidents, breaches, and policy non-compliance.
3) Providing guidance to information security and privacy practitioners by linking and mapping their activities in ways that improve information security to the associated compliance requirements, such as for HIPAA and HITECH, to help ensure that they do not have any gaps.
4) And around at least a dozen more I could add…
A compliance automation tool may improve the security posture of one organization greatly, and could have a negative impact on a different organization. It depends upon what activities the compliance tool is trying to automate, and those who are utilizing the automation tool.
It is important to keep in mind that there is no compliance automation tool that will completely and effectively bring an organization of any type into compliance and improve *ALL* aspects of security. If a vendor is trying to make this claim then watch out, they may also have some magic beans to sell you.
When looking at compliance automation tools you first need to know your organization’s vulnerabilities, threats, and the resulting risks, as some of the others have indicated. You also need to know the maturity level of your staff’s compliance capabilities and have a good feel for your organization’s information security maturity level. You can then choose the most appropriate compliance automation tool to bring the greatest value, along with improved security, to your organization.
You can never completely automate compliance, and nothing will ever bring your organization to secure your systems and information assets 100%. As business changes, and as humans are involved with touching information in all sorts of ways, 100% security can only be achieved without human interaction…not possible to have a productive business! However, organizations that choose the appropriate tools for their specific organization’s needs will find that their security can be improved measurably.
I’ve written about this many times over the years (you can see my books and some of my articles at my web site, http://www.privacyguidance.com), and I also provide a service (Compliance Helper, http://www.compliancehelper.com) to help organizations have an effective information security and privacy program in addition to reaching compliance with HIPAA/HITECH through a variety of automated tools, coupled with ongoing oversight by information security experts (“helpers”) for those organizations that need to have someone to help them understand how to best use the tools, and also act as information security and privacy advisors and mentors.
I’d be happy to speak with you, and anyone else, who is interested in knowing more.
Cross-posted from Privacy Professor