Security configuration management (SCM) can help organizations do much more than just
harden their attack surfaces against intrusions. This fundamental control also has the ability to make your audits flow more smoothly. Indeed, it allows organizations to pull reports from any point in time and demonstrate how their configuration changes and alignments help to support their compliance efforts.SCM doesn’t help organizations with just one type of audit, either. As an example, it can support them in an in-house audit where staff members evaluate the organization’s configuration against a set of internal controls and best practice frameworks. It can also give them all they need to meet an externally conducted audit involving regulatory compliance standards.To understand how, it’s important that organizations understand the difference between a best practice framework of
security controls and a set of regulatory compliance standards.Best Practice FrameworksOrganizations can use best practice frameworks to create, enhance and maintain an effective digital security program. These frameworks all recommend that organizations implement SCM. But they do not enforce this implementation via a formal audit, per se.There are three best practice frameworks in particular that stand out for wide recognition within the security industry: the Center for Internet Security’s Top 20 Critical security Controls (“the CIS Controls”), the National Institute of Standards and Technology’s various publications (“
NIST”) and the MITRE ATT&CK Cybersecurity Framework (“MITRE ATT&CK”).The CIS ControlsConsidered the gold standard for organizations that are looking to secure their systems, the
gearing
towards
audit
understanding
difference
between
practice
frameworks
regulatory
compliance
standards
