How to create a Compliance baseline and simplify compliance forever presented at BSidesAtlanta 2019

by Jason Hill,

Summary : It seems there is a never-ending stream of acronyms that businesses now must learn and understand in order to be “compliant.” In fact, you may feel like a cat herder that is chasing one audit after another. Each new entrant into the pantheon of compliance complicates and weaves and even more complex web of checklists, procedures, policies, etc. Each time new letters are added to our alphabet soup of regulations we must scramble to meet those specific lists of requirements. What if there were a better way? In this presentation, we’ll take a step back and consider that all frameworks and requirements are very similar. In fact, about 80% of PCI and HIPAA controls overlap. Let’s look at the different framework audit requirements and see how we can take a common-sense approach to your next audit. At the end of the day regulations have many of the same themes. Check audit logs, protect desktops, train users, etc. The first step is to start with a baseline, a starting point upon which all other compliances can be compared. After the baseline has been established, you’ll be able to quite the noise and provide a clear path towards meeting existing and yet to come compliance matrices.