Many organizations must comply with regulations such as HIPAA, and the numbers are growing, fueled by constantly evolving legislation that creates new rules, requirements and auditing procedures. Security compliance requirements are often seen as an unnecessary burden that was legislated into existence to protect external entities. However, properly enforced compliance policies can protect organizations from a myriad of problems – ranging from security breaches to lawsuits to corporate espionage.

Compliance has a symbiotic relationship with the procedures and requirements dictated by computer security. Compliance, like security, is all about risk management. The risk associated with compliance failures can include financial impact (fines), data loss (intrusions), lost business (customer impacts) or even a suspension of operations. While it is easy to see how security and compliance go hand in hand with risk management, the realization does not ease any burdens. Unifying risk management, security management and risk management can lead to an economy of scale, creating efficiencies that do lessen the burdens imposed, both in time and budgets.

Unified security management tools that offer integration and management modules can often combine risk management, compliance initiatives and security controls into a single managed element, converting compliance to little more than an extension of policy-based security enforcement. With the proper tool set, compliance management and risk management can become natural extensions of security management, offering managers a clear path to establishing compliance, protecting data and enforcing policy. That holistic approach will reduce costs, while enhancing the benefits of all three.

Free Compliance Management Tools

Free Compliance Management Tools

Most IT pros consider compliance a hassle. Yet the tools of compliance can empower security technologies and simplify risk management. Better yet, some of those tools are free.

 

GLPI

GLPI

A free, open source tool, GLPI offers IT and asset management capabilities. After all, a good inventory is the first step in seeing what needs to be secured.

 

Practical Threat Analysis

Practical Threat Analysis

A free toolset that is driven by the methodology of effectively managing operational and infosec risks in complex systems using calculative threat analysis and threat modeling.

 

SOMAP

SOMAP

The ORICO Framework and Tool are two projects in one, offering risk management and the toolset to build a reference implementation of a security framework.

 

SourceForge

SourceForge

An open source IT asset management system that provides identification, valuation and risk assessments.

 

OpenFISMA

OpenFISMA

An open source framework that is designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).