Through my years in security, if there is one thing I’ve learned from working with organizations all over the world in every imaginable vertical market, it’s that businesses are not in business to be compliant with government and industry mandates. So why do so many organizations simply put programs in place that make the auditors happy but don’t do enough to reap the rewards of all the hard work that goes into a compliance program? It’s because although the benefits of compliance are numerous, they are often difficult to quantify. Also, many businesses feel rushed into demonstrating compliance, implementing compensating controls, and generating vast reports just to quickly pass an audit or avoid a fine. These fixes ignore the more significant costs of non-compliance, including damage to corporate reputation, shareholder faith, customer attrition and lawsuits.
Knowing where to start when looking at your IT environment can be a difficult first step in compliance initiatives. Too often, customers don’t know how to proceed, and this makes cost and effort estimation challenging. A simple strategy is to start with the primary assets that host regulated or sensitive data and then expand coverage to include peripheral network elements around those critical hosts - routers, switches, firewalls, secondary applications and so on. Clear knowledge of physical assets, supporting infrastructure and the sensitive content contained therein provides a means to more accurately scope and estimate the cost of a compliance initiative.
Once the resources are identified, you need to define primary and secondary controls. Primary controls are established around assets such as hosts, applications, databases and identity management systems, which directly store or interface with regulated data.
Secondary controls are applied to peripheral network and security devices such as firewalls, intrusion prevention systems and other supporting network infrastructure. Collection and analysis of logs from these devices can automate monitoring of primary and secondary controls.
Unfortunately, most regulations are ambiguous when it comes to IT.
For example, Sarbanes-Oxley Section 404 requires that companies implement an effective system of internal controls, but does not indicate what those controls should actually be. Organizations have thus been turning to established entities such as the National Institute of Standards Technology (NIST) as a source of authoritative IT controls. For example, the NIST 800-92 standard specifically addresses log management infrastructure best practices, while the NIST 800-53 standard provides guidance for explicit security controls in areas such as user authentication, configuration changes, vulnerabilities and more.
Making Compliance Relevant to Business
While NIST provides powerful technical checks, it doesn’t provide
higher-level business relevance – that’s where ISO-17799 comes in.
Leveraging ISO -17799 adds business context atop the technical checks of NIST. In fact, a number of organizations refer to this approach as “ISO over NIST.” ISO brings business process, policy monitoring and risk management to the equation, and when combined with NIST, provides the foundation for an IT Governance (ITG) strategy that is essentially a superset of the various regulations. ITG is commonly used when determining budgets and project feasibility.
Once a framework has been vetted to support a robust ITG strategy, most of the steps needed to address increased security, reduced risk and—let us not forget—compliance have already been taken. Compliance information is available at this point and simply needs to be rendered in a way that maps to individual regulations. While ITG will address the entire business and hopefully make it more efficient and effective, only parts of it are needed to address Sarbanes-Oxley, PCI, Basel II, the Federal Information Security Management Act
(FISMA) and the like. For many regulations, the underlying data is the same and the work to compile it can be largely re-used. Once the data is produced, compliance reports can be created by filtering the relevant information into a view that supports each specific mandate.
This approach is also scalable, less costly and more advantageous than trying to address each regulation just for compliance’s sake.
Reducing Risks and Costs
Some organizations struggle enough with compliance efforts that they are considering simply avoiding implementing any solution. This is especially true of retailers, who handle customer credit card data.
Fortunately, companies need not bear these compliance risks; technologies are readily available to provide a clear starting point for implementing controls, ongoing monitoring of these controls and flexible reporting against compliance requirements. Security Information and Event Monitoring (SIEM) solutions automatically process corporate-information to detect threats and compliance violations in real time. Such automation dramatically simplifies compliance efforts.
Organizations must take a comprehensive, long-term view of compliance with industry mandates like PCI to enhance and protect shareholder faith and customer loyalty, to leverage compliance and security as a competitive differentiator and to leverage the efficiencies gained from compliance to improve their overall business processes.
|
