Compliance vs. Security
[caption id=”attachment_2415" align=”alignright” width=”550"]
Jeff Foresman presents “Compliance vs. Security”[/caption]
My associate at Rook Security, Jeff Foresman, spoke at three information security events in the past few weeks about how to build a secure compliance program. The questions asked and discussions that happened at the end of each of Jeff’s presentations were complex and spirited. The frustration that many information security and compliance professionals (often the same person at many organizations) experience on a daily basis was evident. They are faced with compliance mandates that have long been treated as annual projects by senior management, and information security mandates that are usually underfunded, tactical in nature, and frequently ignored by executives unless something goes wrong. Great job, huh?
The regulatory compliance landscape is complex. Many organizations must comply with two or more standards. The most common are PCI DSS, HIPAA, FFIEC, FISMA, NERC CIP, and IRS Pub 1075, but there are others. With so many standards to comply with, the “this is an annual audit project” mentality has become pervasive. This has to change if we are going to be successful at maintaining both compliance and security.
Perhaps Dr. Anton Chuvakin, Research VP at Gartner, says it best, “We are not doing it to impress an auditor; we are doing it to stop an attacker!”
Nearly 150 million credit card and protected health information records have been disclosed through breaches in the past 18 months at Target, Home Depot, Neiman Marcus, Community Health, Anthem, JP Morgan, and Premera Blue Cross. And each of those organizations was found to be compliant in their most recent assessments and attestations. How do we stop the many malicious and determined organized criminal enterprise, foreign government sponsored, and “hacktivist” actors? Frankly, we will never be able to stop them all. But we can slow them down. And we can definitely get better at detection and response.
We need to move past the over reliance on security appliances. Only 3% of breaches, according to the Verizon Business Data Breach Report, were detected by intrusion detection and log monitoring tools. Don’t misunderstand this to mean we shouldn’t use these tools. They are a key piece of the detection puzzle. But we need to become better at using them in conjunction with our information security program.
Next, we must become strategic in our approach to compliance and security. Budgeting for and buying a data loss prevention tool or an identity access management solution is not a strategy, it’s a tactic. And it won’t work well if you don’t have a plan and aren’t executing on the basics, such as patching vulnerabilities and regular security awareness training.
How do organizations successfully move from tactical to strategic?
[caption id=”attachment_2423" align=”alignright” width=”450"]
Speaking with an attendee during a break between sessions[/caption]
The process can be distilled to five steps:
- Program Development
There are several frameworks available upon which to base your information security strategy. We most often recommend that our clients base their own on the NIST Cybersecurity Framework. The five components: Identify, Protect, Detect, Respond, and Recover, ensure a comprehensive approach and can be easily communicated to senior management. - Awareness Training
Awareness training is critical. Most breaches in the past year have been initiated through a successful social engineering effort allowing the attacker to gain credentials with phishing emails, calls, and other methods. Develop and implement an ongoing security awareness training program, test its effectiveness regularly, and adjust the training based on the test results. - Sensitive Data Control
Most organizations have no idea where all of their sensitive data is stored or how and where it flows. Mapping data flows and storage isn’t difficult, but it is time consuming, requiring interviews with the many application owners and data users. It is worth the effort, though, because it is much simpler to protect data when you know where it is and who has access. We also recommend that our clients establish both a data retention and classification program. Why store sensitive information you no longer need or are not legally required to maintain? - Technical Solutions
Technical solutions are still a key component of your program, but be certain to implement those that have a balance of prevention, detection, and response capabilities. We recommend the Critical Security Controls (SANs 20) as a guideline to prioritize the development of your technical information security program. Don’t overlook the importance of an Incident Response Plan and the staff to respond to security incidents. - Compliance Management Program
Finally, build a Compliance Management Program and stop treating compliance as a once-a-year project. Most of the regulatory agencies include time-based controls in their requirements and this is where most organizations fail. A compliance management program that incorporates the time-based controls vastly improves the odds that you are able to maintain compliance between assessments. Test the technical security controls regularly to ensure that you adhere to vulnerability management, patching, and configuration standards over time. You should also implement a continuous improvement process so that your information security program matures and keeps pace with the ever-changing threats and challenges.
It will take time and executive support to move from the current tactical efforts to the more effective strategic approach we recommend, but it is well worth the effort.
