NSS Labs Intelligence Brief_Compliance and Auditing

NSS Labs Intelligence Brief_Compliance and Auditing

Author: Andrew Lowe

Published: Q3 2019

Many factors influence an organization’s decision to adopt compliance as a practice in its environment. Driving factors could be a law, such as GDPR or HIPAA, proof of due diligence for insurance, C-level management, and unique client requirements. Meeting compliance requirements can be a strain on any size organization, especially if the organization does not have the correct policies and procedures in place. Auditing is the most important part of a compliance program, and security products play a valuable role here—the logs that many of these products generate are often crucial sources of data for evidence gathering during security control audits. 

This paper discusses the process for building a new compliance program and provides guidance on how analysts new to compliance can get up to speed on programs already in place. Common compliance frameworks and typical misconceptions about compliance are reviewed, and laws and best practices are defined.

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.