7 mistakes of it security compliance - and steps to avoid them
DESCRIPTION
This presentation describes seven typical IT security compliance errors and outlines the best practices you can immediately apply to your environment to help your company achieve compliance.TRANSCRIPT
Avoiding 7 Common Mistakes
of IT Security Compliance
Jason CreechDirector Product Management, Policy ComplianceQualys, Inc.
Agenda
� Introduction
� Regulatory Landscape
� Disparate Needs of Stakeholders
� Common Compliance Framework� Common Compliance Framework
� Common Compliance Mistakes
� Lessons Learned
� Summary
2
IT Compliance Overview
Ensuring IT compliance with regulatory mandates, industry standards, and internal best practice policies.
Risks of non-compliance are significant and can result in substantial financial penalties and negative brand impact.
Compliance Programs focus on:
– Developing and maintaining IT controls and policies
– Gathering data for measuring the operational implementation of controls
– Meeting increasingly complex regulations and industry mandates
– Meeting different stakeholder needs
3
Regulatory Landscape
� Today… seeing more standards,
frameworks, regulations, many industry
specific…HIPAA, GLBA, FDCC, PCI
� Yet… many regulations are over a
decade old and still no standardization
PIPEDA (Canada)
FDCC/SCAP
NIST SP 800-53
PCI Data Security Standard (PCI DSS)
EC Data Privacy Directive
FISMA 2002
ITIL v3
4
4
FDA 21 CFR Part 11 (Pharma)
HIPAA Security Rule
EU Data Protection Directive
GLBA
1990s
FFIEC IT Exam Handbook
2000 and
beyond
BS 7799 / ISO 17799 / 27001 / 27002
FISMA 2002
Basel II Accord
Sarbanes-Oxley
NERC
California SB 1386 Privacy
Disparate Needs of Stakeholders
Business ManagementBusiness Management
•• Consolidate security dataConsolidate security data
•• Proactively identify threatsProactively identify threats
•• Prioritize IT risksPrioritize IT risks
•• Security & compliance Security & compliance
summary metricssummary metrics
•• Reduce costs of reporting Reduce costs of reporting
•• Identify areas of risk to the LOBIdentify areas of risk to the LOB
IT SecurityIT Security
IT AuditIT AuditIT OperationsIT Operations
•• Prioritize IT risksPrioritize IT risks
•• Assign and verify remediationAssign and verify remediation•• Identify areas of risk to the LOBIdentify areas of risk to the LOB
•• Reduce audit costsReduce audit costs
•• Automated view into security dataAutomated view into security data
•• Automate risk & regulatory reportingAutomate risk & regulatory reporting
•• Prioritized and track remediationPrioritized and track remediation
•• Utilize existing remediation toolsUtilize existing remediation tools
•• ClosedClosed--loop workflowloop workflow
Different
Compliance
Needs
Common Compliance Framework
Simple Compliance Framework
Policies,
Standards,
Business
RegulationsFrameworks
Standards
SOX
HIPAA
GLBA
CobiT
COSO
ISO17799
PCI
NIST
NERC
“Example: Vulnerable Processes
must be eliminated..”
Controls
Design
GRC
Vendors
FrameworkLevel
BU Managers/Audit
Compliance
6
Procedures and GuidelinesDetail
BusinessRequirements
Controls
(Manual/Auto)
Procedures
and
Guidelines Enforcement
CID 1130 The telnet daemon
shall be disabled
AIX 5.x Technology
Telnet streams are transmitted in clear text, including usernames and
passwords. The entire session is susceptible to
interception by Threat
Agents.
SME
Control
Imp.
Data
Harvesting
VendorsDetailed Technical
Security
Operations
7 Common Compliance Mistakes
� Decentralized Policy Management
� Failure to establish a compliance definition
� Tactical instead of strategic response
�� Failure to test solutions before implementation
� Treating the audit as a nuisance
� Lack of buy-in from administrative resources
� Unaware of the hidden cost of many compliance solutions
7
� Decentralized Policy Management
Issue:
� Many large corporations manage their security policies
across disparate locations. Each region creates their
own policies and do not conform to unified standards.
Effect:
� Lack of consistent terminology and reference.� Lack of consistent terminology and reference.
� Inability to demonstrate cohesive compliance initiative.
� Incompatible compliance frameworks.
� Many organizations are now implementing
consolidated repositories such as SharePoint or IT
GRC solutions to manage policy content.
8
� Common Compliance Vocabulary
Establish the Definition of Basic Concepts
� Policy
� Compliance
� Standard
� Control
9
Additional:
� Purpose and Scope Statement:A rationale of why the Control Statement should be implemented (ex: A malicious user may use these accounts to access sensitive information)
� Datapoint:A check to the technology (system, network, database or application) that validates the control (ex: grep '^+:' /etc/passwd /etc/shadow /etc/group)
� Exception:An Exception allows an auditor to accept risk and make a control pass
� Tactical vs. Strategic Response
Issue:
� After SOX was put into effect, many organizations
responded by creating multitudes of controls to satisfy
perceived requirements.
Effect:Effect:
� An inability to comply with all the defined requirements.
� Overwhelmed IT staff trying to keep up.
� Organizations that used a strategic approach in
prioritizing a manageable set of controls were more
successful.
10
� Failure to Test
Issue:
� Some organizations purchased software to automate
harvesting of IT compliance data, usually information
security tools.
Effect:Effect:
� In haste to get solutions implemented, test was
nonexistent or inadequate.
� Solutions did not meet companies compliance needs.
� Some implementations conflicted with existing functions.
� Unnecessary costs incurred.
11
� Treating the Audit as a Nuisance
Issue:
� There are many benefits to an IT audit. The analysis of
business functions can identify waste and streamline
business processes. But, many organizations see audits
as a nuisance and go through the motions for appearance
only.only.
Effect:
� Lack of buy-in from stakeholders
� Perception of convenience over security can occur
� System integrity can be inconsistent
12
� Lack of Buy-In from Administrators
Issue:
� Administrators of IT assets are often used to doing
things their own way. They can be very confident of
their technical ability and can assume that they are
above the rules or can erase evidence.
Effect:
� Some administrators have a tendency to circumvent
acceptable process.
� Policy violations can occur and become evident during
an audit.
� Security issues can be introduced.
13
� The Hidden Cost of Compliance Solutions
Issue:
� Many software vendors have jumped into the compliance market. Compliance is what is driving the bulk of security software purchases. All vendors focus on improvement in efficiency of compliance process via software automation, but there are hidden costs that should be evaluated as well.
Effect:Effect:
� Maintenance of IT systems (Servers, DB’s) increases resources needed.
� Education of staff on usage of solution
� Technology of some systems can fall out of currency quickly
14
Lessons Learned
� Centralize policy management and promote consistency
� Establish common compliance definition and educate
� Focus on strategic response to maximize efficiency
� Thoroughly test solutions before implementation � Thoroughly test solutions before implementation
� Consider audits as part of necessary business analysis
� Foster buy-in and collaboration from administrative
resources
� Achieve an understanding of the full impact of
purchased solutions
15