Saturday, 9 February 2008

Compliance project

There is a need for a resource that can be used to list/summarise all of the MANY separate IT Governance and IT regulatory requirements. Andrew has pointed out a site that starts to list these (but is expensive and misses many requirements).

What is needed is a simple web driven site where a selection of systems and needs may be matched. I would think that selecting a list of descriptors (such as the server is in an Internet connected DMZ, The system is a web server, the system processes payment card information, ...)

I have all of the data in one form or another from research I have completed in academic study and book writing. I am happy to lead this effort. What I think is needed is more than I alone can do.

So consider this a call for interested parties. The idea is to make this an open source effort.
I would like to start a consensus compliance effort. Something like the centre for Internet security (CIS) and OWASP does for their areas, but with the controls that are required. Somewhere that people can go and find answers to what types of controls they need to implement.

So who is up to staring an interactive controls checklist project?

The idea is that you will be able to enter details system by system or for a site. Answer a set of questions and get a list of requirements and controls that are needed. So as an example I could go through something like:- DMZ Web Server- Located in the US- Processes credit card information - 20,000 transactions per month- Non-listed private company- Banking and Finance industry- GLBA requirements- BASEL II requirements- Dealings with the EUAn the result will be a set of necessary controls and links to how to achieve these (e.g. CIS and OWASP frameworks etc):- Security Policy ... (e.g. SANS Policy project) and details of this and the processes that are necessary- Change management needs...- Protocol Justification (PCI-DSS 1.1.6)- Firewall (Pci...)- System Standards (e.g. see CIS IIS baselines) aim for a min. score of 85% on test xxx- Etc.

So this is a preliminary call for interest to see what type of support I can get in the industry for this. As stated, this would be a GPL'd effort and one designed as a resource that will aid both vendors and end users and make all of our lives easier.

Please let me know if you are interested and let us see if we can start to align security and compliance and thus make the effort worthwhile.

I plan to map all relivant security controls and the consequences - both civil (tort or contract) and criminal (regulatory etc). The idea being that there will be a simple resource to see if you miss something what could occur.

No comments: