What's the Point of Compliance? Making Paperwork Useful

Compliance isn’t security, but that doesn’t mean it’s useless. Compliance is about choosing your security strategy and then making sure you did what you meant to do – and that it’s working. It’s a way to keep yourself honest, and be able to show others that you’re doing what you say you are. How do you know for sure that you’ve patched all your systems unless you check? How do you know that legacy protocol is ok unless you wrote it down? In this presentation, I’ll cover what governance, risk, and compliance are and what they’re for. I’ll discuss the different compliance requirements for U.S. organizations, outline a minimalist compliance structure, and show you how to make that structure work for you – and how to talk to auditors and assessors about it By law and by contract, security teams have to generate a lot of paperwork showing that people’s information and systems are protected. The goal is paperwork that isn’t just busywork – that actually helps your program fulfill your primary objectives, saves time, and helps you improve your strategies. Your security can be better for doing all this compliancy stuff, and this talk will show you how. Rachael Lininger (Free Agent) Information security analyst, risk consultant, Cthulhu cultist. Lawful good. Opinions belong to her autocorrect, not her employer. @0xdaeda1a