Ultimately, we're talking about one to two dozen different frameworks that my organization was either tracking or attempting to adhere to, and the subsequent governance and compliance efforts to manage each one, independently, took up a massive amount of time and effort for my team. All this, and a number of other frameworks that I'll refrain from mentioning because it gives me an anxiety attack. And we've even started to incorporate the NIST Cybersecurity Framework (CSF) controls into our security program as a form of baselining and roadmapping our security program, which I talk about in more detail here. GDPR comes on the scene over in the EU, where we have both customers and employees, so we're now being asked the implications of that. Of course, based on my track record with SOX, the business came to me for answers, and I delivered.įast forward a few more years and we're doing business with the federal government, who is requiring us to adhere to NIST 800-171, DFARS and FAR. Suddenly, I found myself looking to use frameworks like ISO27001, NIST 800-53, and the CIS Critical Security Controls to use as a best practice approach with our IT teams.Īs NI continued to grow as a company, our processing of credit cards went over a threshold and, suddenly, compliance with the Payment Card Industry Data Security Standard (PCI DSS) came to the forefront, requiring us to do a self-assessment across a large number of new requirements for our organization. I created a formal vulnerability management program which expanded my team's reach into operational and network security, as well. I started working on application security and frameworks like the OWASP Top 10 became of interest to me. With my hands now free from the majority of our SOX work, I began to focus my attention to other areas that needed security work. Within a couple of years, I had a firm grasp on our SOX audit work and was able to transition the performance of most of the testing to employee #2 on my fledgling security team. I managed and performed all of the testing across our IT environments and worked directly with our third-party audit firm who performed the independent validation of our controls. In fact, it was what my management used to justify me moving into NI's first full-time security role and I was told to "Beat SOX to the point where a monkey could do it." With that as my stated objective, I worked to develop our IT audit program around the hybrid COBIT and COSO controls that made up our SOX framework. Back when I first started the Information Security Program at National Instruments, Sarbanes Oxley (SOX) compliance was my primary concern.
0 kommentar(er)
