One of the things I do at every CSO Council, is to ask the security executives what their Top 3 issues are. (We learned a long time ago that you can't ask execs to nail it down to a single issue!) These are the top concerns they have around information security, not just Microsoft issues, so the range is pretty diverse. We've been tracking and trending these issues for almost 5 years and it's very interesting to see which ones move up, and which move down. You can pretty much guess that Regulatory Compliance is one of the ones we consistently see at the top of that list. No wonder given the huge amount of time that all these regulations make you invest. We got PCI, HIPAA, SOX, GLB, Basel II, EU Privacy Laws, etc. and that's not even trying to map it to a framework such as COBIT, ISO 27001, or the ISF.
What Can Microsoft Do To Help Me with Regulatory Compliance?
Our Solution Accelerator team is a great group. These are the guys who have to cull through tons of product specific guidance and roll it all up so it makes sense to you. They created our Regulatory Compliance Planning Center. The Center has some great info on how we do it internally at Microsoft, which is very good stuff. If you've had the chance to peruse our Regulatory Compliance Planning Guide, a tool which maps our Microsoft technologies to some of the common controls auditors demand to see for things like SOX, GLBA, and HIPAA......you'll understand. If you haven't seen this guide, stop......and go take a look. You'll be glad you did.
Introducing: The Security Compliance Management Toolkit
We also just released the brand new Security Compliance Management Toolkit as well. This will help you monitor and maintain reg compliance, and even provides some tools to help you get there. Here's the blurb:
In today’s IT environment, the ability to comply with regulations and industry standards, such as the Sarbanes Oxley Act, is a source of deep concern for many organizations. In addition, organizations need to manage risks resulting from emerging threats and changing conditions within their IT infrastructures. As a result, organizations need sound methods that they can count on to understand the state of the security settings in their IT infrastructures, assess the compliance of a security baseline, and demonstrate that compliance requirements have been met.
To help organizations address these challenges, Microsoft has created the Security Compliance Management toolkit. The toolkit provides best practices from Microsoft about how to plan, deploy, and monitor a security baseline. In addition, the toolkit provides remediation recommendations to address security baseline issues. The toolkit also offers a proven method that your organization can use to effectively monitor the compliance state of recommended security baselines for Windows Vista®, Windows® XP Service Pack 2 (SP2), and Windows Server® 2003 SP2.
The Security Compliance Management toolkit includes the following components:
Knowing the headaches that this issue causes, I hope that these resources provide you with a little peace of mind and can get you back to the family at a decent hour!