IT Compliance Institute, April 17, 2007:

Trends and Technologies

Top 10 Compliance Forums on the Web

When it comes to laws and governance frameworks, conventional wisdom can prove much more useful than oblique “official” guidance. These 10 online forums offer immediate answers to IT compliance questions, practical implementation advice, and been-there-done-that insight into CobiT and ITIL.

By Mathew Schwartz

What IT regulatory compliance problem do you need to solve?

When it comes to demystifying regulations—and learning how to comply with them effectively—compliance, security, and IT managers have a potent online resource: their peers. Locating them, however, can be difficult, simply because the topic of “IT regulatory compliance” covers so much terrain.

That shouldn’t be surprising, since regulations vary widely by domain—the finance industry’s Gramm-Leach-Bliley (GLB); the consumer-oriented protections afforded by the Payment Card Industry Data Security Standard (PCI DSS), which predominantly affects merchants; the Health Insurance Portability and Accountability Act (HIPAA), which covers the health and insurance industries; plus Sarbanes-Oxley (SOX), which regulates public companies.

Furthermore, organizations can pursue multiple paths to compliance—everything from tapping ISO/IEC 17799 for information security best practices, informally referring to guidance from the National Institute of Standards and Technology (NIST), or implementing Control Objectives for Information and related Technology (CobiT) to meet SOX’s governance requirements.

Luckily, some online forums tackle specific regulations, others deal with specific frameworks, and still more just support IT professionals in general. Between them, you should find answers to any of your IT compliance-related questions.

Here are resources to help you get started:

1) PCI Auditor Community Site

This heavily trafficked community allows Visa Qualified Data Security Professionals to discuss issues relating to the PCI DSS. The site, however, also fields inquiries from banks, merchants, and services providers covered by PCI. Recent posts discuss topics such as when two-factor authentication for remote access is required, which of a company’s business partners must be audited for PCI compliance, and how auditors think PCI requirements will or should evolve.

2) Sarbanes-Oxley Act Discussion Forum

For all your SOX queries. Recent postings discuss control methodologies, the impact of SOX overseas, password control tips, tools for evaluating SOX controls, and data retention and disposal issues.

3) Federal Computer Security Program Managers’ Forum

NIST sponsors this informal forum, open to all federal US government employees who are “responsible for protecting non-national security systems.” Discussions touch on numerous issues, including how to achieve and maintain IT compliance. The forum also sponsors bi-monthly (physical) meetings. While non-government compliance practitioners can’t participate, they still have carte blanche access to NIST’s excellent—and free—800-series of information security best practices: http://csrc.nist.gov/publications/nistpubs/

4) ControlIT User Group: An Independent Support Group for CobiT Users

A high-level IT governance framework, CobiT is widely used by organizations to help them more easily achieve, demonstrate, and maintain compliance with numerous IT compliance requirements. Have a CobiT-related compliance question? Start here. Or just come to peruse the compliance-related job listings.

5) The ITIL Community Forum

This community is devoted to the IT Infrastructure Library (ITIL), a best services framework for IT service management. A more low-level, practical set of IT practices than CobiT, many organizations are similarly using it to more easily achieve compliance with multiple regulations. Topics covered on the community range from setting up ITIL incident management, to creating a definitive software library, to creating compliance-related ITIL reports.

6) ISACA Discussion Forums

Want practical advice from your peers? The Information Systems Audit and Control Association (ISACA), a voluntary organization devoted to IT governance which boasts 50,000 members, offers a number of free e-mail-based newsletters devoted to compliance and organized for such topics as SOX, IT governance, CobiT, the practice of being an effective information security manager, or just general audit, control, or security questions.

7) ISO 17799 and BS7799 Forum

A good place to pose questions about ISO/IEC 17799 (Information Technology—Security Techniques—Code of Practice for Information Security Management) and determine how to apply it to your organization’s security needs.

BEYOND FORUMS: BLOGS & MORE

While not strictly online forums—in the interactive sense—several compliance-related blogs and Web sites nevertheless deliver extremely useful compliance-related information and insights.

8) Privacy and Security Law Blog

Interested in the intersection of law and IT compliance? Recent posts to this blog, maintained by law firm Davis Wright Tremaine LLP, analyze new FCC privacy rules for customer phone call records, pending privacy and data security legislation in the 110th Congress, and regulatory efforts to craft a standardized Gramm-Leach-Bliley (GLB) annual privacy notice.

9) PCI Compliance Demystified

Run by a group of self-described PCI and information security wonks, this blog “is devoted to demystifying the PCI DSS compliance process,” which it does with analyses of PCI-related news and articles. When not discussing how Nessus counts towards PCI’s vulnerability scanning requirements—or does it?—the blog garners pop culture crossover points crossovers, as with the recent posting titled “MC Frontalot raps about credit card security.”

10) Privacy Rights Clearinghouse

Neither blog nor community, the Privacy Rights Clearinghouse (PRC) “Chronology of Data Breaches,” is essential compliance reading, because it tracks all publicly disclosed US data breaches—now at over 150 million data records of US residents potentially compromised—no matter how large or small, by date made public, name of affected organization, type of breach, and the number of records potentially affected. You can keep track of data privacy breaches, who’s being breached, and why. It includes an excellent repository of online privacy resources.

Armed with the above sites, you can remain up to date on IT compliance topics, post queries for practitioners facing similar challenges, or search through a number of jumping-off points to other communities, blogs, online resources, career development tools, and professional associations.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.