One of the things I do at every CSO Council, is to ask the security executives what their Top 3 issues are. (We learned a long time ago that you can't ask execs to nail it down to a single issue!) These are the top concerns they have around information security, not just Microsoft issues, so the range is pretty diverse. We've been tracking and trending these issues for almost 5 years and it's very interesting to see which ones move up, and which move down. You can pretty much guess that Regulatory Compliance is one of the ones we consistently see at the top of that list. No wonder given the huge amount of time that all these regulations make you invest. We got PCI, HIPAA, SOX, GLB, Basel II, EU Privacy Laws, etc. and that's not even trying to map it to a framework such as COBIT, ISO 27001, or the ISF.
What Can Microsoft Do To Help Me with Regulatory Compliance?
Our Solution Accelerator team is a great group. These are the guys who have to cull through tons of product specific guidance and roll it all up so it makes sense to you. They created our Regulatory Compliance Planning Center. The Center has some great info on how we do it internally at Microsoft, which is very good stuff. If you've had the chance to peruse our Regulatory Compliance Planning Guide, a tool which maps our Microsoft technologies to some of the common controls auditors demand to see for things like SOX, GLBA, and HIPAA......you'll understand. If you haven't seen this guide, stop......and go take a look. You'll be glad you did.
Introducing: The Security Compliance Management Toolkit
We also just released the brand new Security Compliance Management Toolkit as well. This will help you monitor and maintain reg compliance, and even provides some tools to help you get there. Here's the blurb:
In today’s IT environment, the ability to comply with regulations and industry standards, such as the Sarbanes Oxley Act, is a source of deep concern for many organizations. In addition, organizations need to manage risks resulting from emerging threats and changing conditions within their IT infrastructures. As a result, organizations need sound methods that they can count on to understand the state of the security settings in their IT infrastructures, assess the compliance of a security baseline, and demonstrate that compliance requirements have been met.
To help organizations address these challenges, Microsoft has created the Security Compliance Management toolkit. The toolkit provides best practices from Microsoft about how to plan, deploy, and monitor a security baseline. In addition, the toolkit provides remediation recommendations to address security baseline issues. The toolkit also offers a proven method that your organization can use to effectively monitor the compliance state of recommended security baselines for Windows Vista®, Windows® XP Service Pack 2 (SP2), and Windows Server® 2003 SP2.
The Security Compliance Management toolkit includes the following components:
- The Overview document, which describes the overall security compliance management process and the steps that the toolkit recommends to achieve security compliance using prescribed security baselines.
- The DCM Configuration Pack User Guide, which describes how to load and operate the Configuration Packs in the desired configuration management (DCM) feature of System Center Configuration Manager 2007.
- The Security Compliance Management DCM Configuration Packs that provide security baseline checks for each of the following operating systems: Windows Vista, Windows XP SP2, and Windows Server 2003 SP2.
- Informational Materials: These include a Security Compliance Management Data Sheet and a FAQ that explain how the guidance for the toolkit can benefit your organization.
Knowing the headaches that this issue causes, I hope that these resources provide you with a little peace of mind and can get you back to the family at a decent hour!