Compliance management has historically focused on reactive security monitoring (SIEM and Log Management) to meet regulatory mandates. SIEM and Log Management do not proactively identify weaknesses in your network defenses; they only notify you after an event has occurred. As a result, companies continue to experience an increasing number of breaches even though they are in compliance with regulations at the time of a breach.
Fortunately, the use of information security controls can proactively strengthen your network security. In addition, this core set of information security controls can be mapped across a wide range of compliance regulations. By focusing on these best practices, you can improve security and compliance at the same time.
CIS / SANS Critical Security Controls Mapped to Compliance Frameworks
By implementing information security controls and assessing them on a continuous basis, it’s possible to get a clear picture of your compliance status. Instead of waiting for the annual audit and scrambling to address compliance gaps, a proactive approach focuses on incremental improvement year round.
There are two keys for successful implementation:
The controls need to be measurable – you should be able to see a pass/fail score for each system so that you can track your overall progress
The assessment need to be automated – there simply isn’t enough time to consistently assess your security and compliance status if it’s a manual process