RSA, the security division of EMC, has announced the findings of a new research paper that details the benefits organisations may gain – including reduced costs and improved security – by implementing a standards-based framework of security controls. The paper also details the ability of comprehensive security frameworks to help companies more easily comply with a variety of security requirements handed down by regulatory bodies, industry groups, partners, customers and internal policies.

In addition, RSA announced new reports within the RSA enVision security information and event management solution that are designed to enable organisations to more easily report on key aspects of the ISO 27002 standard – a global code of practice for information security management, which is useful in defining an effective set of best practice security controls as part of a compliance framework.

In March 2008, RSA commissioned Michael Rasmussen, industry analyst and president of corporate integrity, to undertake a research paper based on what it means to develop a “sustainable and cost-effective IT compliance program.” The key findings of this project are that the typical approach to compliance – responding on a regulation-by-regulation basis without an integrated IT compliance management program – escalates costs, reduces visibility of the control environment overall, wastes resources, and leads to unnecessary complexity, inflexibility, vulnerability and exposure.

“A proactive approach to IT compliance allows organisations to look confidently to the future while also mitigating risk in the course of business,” says Rasmussen. “An effective IT compliance program should be centred on a comprehensive framework, based on industry-wide standards – such as ISO 27002.”

Security frameworks-based programs to simplify IT compliance

As organisations worldwide struggle to both comply with a plethora of compliance requirements and improve enterprise-wide security, a framework-based approach founded upon best practices and controls helps customers to build a proactive security program that may effectively break down the walls that often isolate organisational compliance silos. By driving compliance holistically, rather than on a requirement-by-requirement basis, companies may reduce costs by both avoiding redundant technology controls and easing the process of managing compliance. In addition, leveraging international standards such ISO 27002 as the foundation of an IT security and compliance program helps organisations align efforts to comply with key portions of many global regulations, including: the Payment Card Industry (PCI), Data Security Standard (DSS), HIPPA, Sarbanes-Oxley, the European Union’s Data Protection requirements and regional data privacy laws.

“Our forward-thinking customers are using framework-based security and compliance programs to cost-effectively satisfy multiple requirements and manage information risk,” says Steven Preston, senior director, solutions marketing at RSA. “This goal can be achieved through the application of a consistent, holistic set of repeatable, scalable, enterprise-wide controls, which are centred upon recognised IT security best practices.”

RSA Solutions to establish security frameworks for simplified compliance

RSA’s portfolio of technology solutions offers key security controls that can help organisations establish frameworks based upon global best practices and standards and comprises authentication, data loss prevention, encryption key management and logging, monitoring and reporting solutions.