crowmoor.se

Sadly not. There are a number of compliance frameworks out there now; PCI DSS, SOX, HIPAA, HITECH, Part 11 and you name it. It is a rather interesting fact that there are as many consultants being specialized in that one or the other without having the faintest idea that they are all the same!

Take a look from a bit of a higher ground and you see that all of them manages risk, manages the most common security problems in a sector, manages what the industry believes is the big problems right now. A year ago I was engaged in a large PCI DSS engagement with a customer and when I during a workshop explained that when I work with a compliance framework I always aim for being as compliant as possible with security mechanisms in a security architecture that supported the common problems all listed in the frameworks, their security department all in unison became silent. Apparently this was a way of thinking they have never encountered. So after a few very constructive workshops we have drawn the first lines in creating a security architecture built on a generic compliance structure.

If you have a good modeling language it is rather easy to perform this task but you really need to have a firm grasp of security otherwise you will create a rigid set of unreachable rules.