Tom Hinkel, Director of Compliance
In a perfect world, everyone knows exactly what is expected of them, and they do it flawlessly. In this utopia, regulators clearly articulate not only what is expected, but exactly how to implement their expectations, in a step-by-step process. Policies and procedures practically write themselves (just copy and paste from the regulations!), and all that network administrators have to do is simply sit back, review an occasional report, and wait for the phone to ring.
Meanwhile, back in the real world…
Regulators are constantly moving the target by issuing new regulations without specificity, leaving it to the institution to figure out how to implement them. Auditors are interpreting (and reinterpreting) existing regulations, forcing constant changes to both policies and procedures, and all the administrators and ISOs can do is try to keep up, while maintaining some measure of control.
Ideally, your policies, procedures, and practices would be in perfect alignment with regulatory guidance at all times. In reality, this is next to impossible, so change becomes the norm. One way you can measure how far off-target you might be with your information security program is to use Self Assessments, Metrics, and Independent Tests, collectively referred to as Condition Monitoring.
A Self Assessment is performed by internal staff, often with the assistance of vendors, and is designed to measure conformance with your own policies and procedures. Simply put, are we doing what we say we are doing?
Metrics compare your practices with financial industry standards and recognized best practices, such as BITS and ISO 17799. In other words, are our practices consistent with what others are doing?
Independent Tests include penetration tests, audits and third-party assessments, and must be performed by individuals who are independent of design, installation, maintenance, and operation of your systems. While necessary, these types of tests are more costly and time consuming than Self Assessments and Metrics, and are usually only performed every 12 to 18 months.
Typically, Self Assessments and Metrics are performed more frequently, as they can serve as a warning flag that adjustments need to be made prior to an audit. The good news is that the Safe Systems Quarterly Reviews can fulfill the requirement for Self Assessment, and the Annual Review can serve as a Metric. Beginning this quarter, you’ll see footnote references on the Quarterly Review worksheet that will map our checklist items with specific regulatory guidance. Later this year, the Annual System Review will incorporate the same reference citations.
All this may not lead to that perfect world, but it should make the job of aligning your policies, procedures, and practices a little easier. Now if we could just get the regulators to stop moving the target…