As companies are being tasked with more and greater levels of compliance regulation, many organizations are adopting a standards-based approach to compliance management. Embracing a comprehensive standard as a benchmark is a pro-active approach that gives companies the confidence that they have addressed most if not all compliance mandates.

For example, ISO17799: 2005 / 27002 is a code of practice for information security management developed by the International Organization of Standardization.

Data Sheet
Key Features
Whitepapers
This practice is increasingly the standard adopted by organizations when measuring the confidentiality, integrity and availability of their infrastructure. Being compliant with such a comprehensive standard positions organizations well to deal with increasing regulatory privacy and security standards mandated within their industry.
Since a standards-based approach to compliance can be a daunting undertaking, compliance professionals recognize that a consistent and scalable assessment tool is required to help. Rsam's enterprise-class technology framework allows organizations to :
Establish, enforce and manage a consistent standards based program on individual business criticality and compliance requirements.
Utilize measurable controls for each standards' domain. Easily create and assign additional assessment questionnaires.
Distribute & gather data via online questionnaires using an intuitive, user-friendly Web interface
Analyze & report on gaps for the entire Enterprise , Business Units, or other logical groups.
Plan, Document and Manage remediation plans after gaps have been identified.
Further demonstrate & validate compliance by assessing a representative sample of Applications, Processes, Infrastructure elements, Data centers, Departments and even Third-party Service Providers.
Rsam Compliance Assessments based on standards, takes aspects of this standard and converts them into measurable controls assigned to different logical groups within an organization hierarchy. This logical grouping & organization hierarchy can be used as-is or further customized to meet the specific needs of an organization. Rsam makes your standards-based assessment manageable and enables an analysis to be performed on the assessment data. Rsam works by organizing the assessment into manageable and logical groups. For each grouping Rsam helps gather responses concerning control practices and measures these responses against the expected standards. This information is then processed to identify gaps, and to score them. During this process, users are assigned to answer specific questionnaires concerning the existence and implementation of a control. As users log into the Rsam interface they are presented with simple dashboards showing their assigned tasks and the status of their questionnaires. By clicking on a particular task the user is directed to the appropriate questionnaire page and walked through each assigned question via a highly-intuitive GUI. Upon the completion of a questionnaire, the process can then be passed to other users for review or additional input. All such actions are tracked & logged, and progress reports and administrator dashboards provide constant progress updates. Once gaps and compliance violations are known, the Rsam Remediation Tracking Module can help track & document your remediation plans. Assessment & Risk treatment data can be archived at any time, and using our reporting engine, Historical reports can be generated providing useful trend analysis reports. Below is an overview of the standards incorporated in Rsam:
NIST 800-26 is a popular control standard that many organizations base their security practices. NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. NIST's Computer Security Division has developed several standards to improve information systems security that have been widely adopted by both Federal agencies as well as commercial organizations. Rsam's NIST template is based on SP 800-26 Security Self-Assessment Guide for Information Technology Systems, SP 800-53 Recommended Security Controls for Federal Information Systems and other related documents. Each assessment area in Rsam is carefully mapped to NIST standards & guidelines, allowing clients to easily conduct an assessment against NIST.

The purpose of this NIST 800-53/26 is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure information systems within the federal government by:
Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems;
Providing a recommendation for minimum security controls for information systems categorized in accordance with Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems;
Promoting a dynamic, extensible catalog of security controls for information systems to meet the demands of changing requirements and technologies; and
Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness.
ISO 27002 / ISO 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of information security management:
Security policy;
organization of information security;
asset management;
human resources security;
physical and environmental security;
communications and operations management;
access control;
information systems acquisition, development and maintenance;
information security incident management;
business continuity management;
compliance.
The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
Successful organizations understand the benefits of information technology (IT) and use this knowledge to drive their shareholders' value. They recognize the critical dependence of many business processes on IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk effectively. To aid organizations in successfully meeting today's business challenges, the IT Governance Institute® (ITGI) has published a version of COBIT.

COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
Member agencies of the Federal Financial Institutions Examination Council (FFIEC) implemented section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA) by defining a process-based approach to security in the 'Interagency Guidelines Establishing Information Security Standards' (501(b) guidelines) . The 501(b) guidelines afford the FFIEC agencies (agencies) enforcement options if financial institutions do not establish and maintain adequate information security programs. FFIEC Information Security booklet follows the same process-based approach, and applies it to various aspects of the financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501(b) expectations