Compliance barged in and became the defining influence on information security over the last four to five years. While some claim that this is what brought information security to the boardroom and made it mainstream, others say that it nearly destroyed it. In any case, the huge impact of regulations and mandates on the practice of information security cannot be underestimated. It will likely take years before the IT industry will be able to understand the overall impact that regulations are having on the way we secure business information and IT systems.
This paper explores the subject of continuous compliance versus audit-driven compliance, as well as how an ongoing approach to compliance makes compliance a positive force for securing data and systems. Using examples from mandates such as PCI DSS and FISMA, we offer some useful tips for avoiding both breaches and audit failures.