Avoiding 7 Common Mistakes

of IT Security Compliance

Jason CreechDirector Product Management, Policy ComplianceQualys, Inc.

Agenda

� Introduction

� Regulatory Landscape

� Disparate Needs of Stakeholders

� Common Compliance Framework� Common Compliance Framework

� Common Compliance Mistakes

� Lessons Learned

� Summary

2

IT Compliance Overview

Ensuring IT compliance with regulatory mandates, industry standards, and internal best practice policies.

Risks of non-compliance are significant and can result in substantial financial penalties and negative brand impact.

Compliance Programs focus on:

– Developing and maintaining IT controls and policies

– Gathering data for measuring the operational implementation of controls

– Meeting increasingly complex regulations and industry mandates

– Meeting different stakeholder needs

3

Regulatory Landscape

� Today… seeing more standards,

frameworks, regulations, many industry

specific…HIPAA, GLBA, FDCC, PCI

� Yet… many regulations are over a

decade old and still no standardization

PIPEDA (Canada)

FDCC/SCAP

NIST SP 800-53

PCI Data Security Standard (PCI DSS)

EC Data Privacy Directive

FISMA 2002

ITIL v3

4

4

FDA 21 CFR Part 11 (Pharma)

HIPAA Security Rule

EU Data Protection Directive

GLBA

1990s

FFIEC IT Exam Handbook

2000 and

beyond

BS 7799 / ISO 17799 / 27001 / 27002

FISMA 2002

Basel II Accord

Sarbanes-Oxley

NERC

California SB 1386 Privacy

Disparate Needs of Stakeholders

Business ManagementBusiness Management

•• Consolidate security dataConsolidate security data

•• Proactively identify threatsProactively identify threats

•• Prioritize IT risksPrioritize IT risks

•• Security & compliance Security & compliance

summary metricssummary metrics

•• Reduce costs of reporting Reduce costs of reporting

•• Identify areas of risk to the LOBIdentify areas of risk to the LOB

IT SecurityIT Security

IT AuditIT AuditIT OperationsIT Operations

•• Prioritize IT risksPrioritize IT risks

•• Assign and verify remediationAssign and verify remediation•• Identify areas of risk to the LOBIdentify areas of risk to the LOB

•• Reduce audit costsReduce audit costs

•• Automated view into security dataAutomated view into security data

•• Automate risk & regulatory reportingAutomate risk & regulatory reporting

•• Prioritized and track remediationPrioritized and track remediation

•• Utilize existing remediation toolsUtilize existing remediation tools

•• ClosedClosed--loop workflowloop workflow

Different

Compliance

Needs

Common Compliance Framework

Simple Compliance Framework

Policies,

Standards,

Business

RegulationsFrameworks

Standards

SOX

HIPAA

GLBA

CobiT

COSO

ISO17799

PCI

NIST

NERC

“Example: Vulnerable Processes

must be eliminated..”

Controls

Design

GRC

Vendors

FrameworkLevel

BU Managers/Audit

Compliance

6

Procedures and GuidelinesDetail

BusinessRequirements

Controls

(Manual/Auto)

Procedures

and

Guidelines Enforcement

CID 1130 The telnet daemon

shall be disabled

AIX 5.x Technology

Telnet streams are transmitted in clear text, including usernames and

passwords. The entire session is susceptible to

interception by Threat

Agents.

SME

Control

Imp.

Data

Harvesting

VendorsDetailed Technical

Security

Operations

7 Common Compliance Mistakes

� Decentralized Policy Management

� Failure to establish a compliance definition

� Tactical instead of strategic response

�� Failure to test solutions before implementation

� Treating the audit as a nuisance

� Lack of buy-in from administrative resources

� Unaware of the hidden cost of many compliance solutions

7

� Decentralized Policy Management

Issue:

� Many large corporations manage their security policies

across disparate locations. Each region creates their

own policies and do not conform to unified standards.

Effect:

� Lack of consistent terminology and reference.� Lack of consistent terminology and reference.

� Inability to demonstrate cohesive compliance initiative.

� Incompatible compliance frameworks.

� Many organizations are now implementing

consolidated repositories such as SharePoint or IT

GRC solutions to manage policy content.

8

� Common Compliance Vocabulary

Establish the Definition of Basic Concepts

� Policy

� Compliance

� Standard

� Control

9

Additional:

� Purpose and Scope Statement:A rationale of why the Control Statement should be implemented (ex: A malicious user may use these accounts to access sensitive information)

� Datapoint:A check to the technology (system, network, database or application) that validates the control (ex: grep '^+:' /etc/passwd /etc/shadow /etc/group)

� Exception:An Exception allows an auditor to accept risk and make a control pass

� Tactical vs. Strategic Response

Issue:

� After SOX was put into effect, many organizations

responded by creating multitudes of controls to satisfy

perceived requirements.

Effect:Effect:

� An inability to comply with all the defined requirements.

� Overwhelmed IT staff trying to keep up.

� Organizations that used a strategic approach in

prioritizing a manageable set of controls were more

successful.

10

� Failure to Test

Issue:

� Some organizations purchased software to automate

harvesting of IT compliance data, usually information

security tools.

Effect:Effect:

� In haste to get solutions implemented, test was

nonexistent or inadequate.

� Solutions did not meet companies compliance needs.

� Some implementations conflicted with existing functions.

� Unnecessary costs incurred.

11

� Treating the Audit as a Nuisance

Issue:

� There are many benefits to an IT audit. The analysis of

business functions can identify waste and streamline

business processes. But, many organizations see audits

as a nuisance and go through the motions for appearance

only.only.

Effect:

� Lack of buy-in from stakeholders

� Perception of convenience over security can occur

� System integrity can be inconsistent

12

� Lack of Buy-In from Administrators

Issue:

� Administrators of IT assets are often used to doing

things their own way. They can be very confident of

their technical ability and can assume that they are

above the rules or can erase evidence.

Effect:

� Some administrators have a tendency to circumvent

acceptable process.

� Policy violations can occur and become evident during

an audit.

� Security issues can be introduced.

13

� The Hidden Cost of Compliance Solutions

Issue:

� Many software vendors have jumped into the compliance market. Compliance is what is driving the bulk of security software purchases. All vendors focus on improvement in efficiency of compliance process via software automation, but there are hidden costs that should be evaluated as well.

Effect:Effect:

� Maintenance of IT systems (Servers, DB’s) increases resources needed.

� Education of staff on usage of solution

� Technology of some systems can fall out of currency quickly

14

Lessons Learned

� Centralize policy management and promote consistency

� Establish common compliance definition and educate

� Focus on strategic response to maximize efficiency

� Thoroughly test solutions before implementation � Thoroughly test solutions before implementation

� Consider audits as part of necessary business analysis

� Foster buy-in and collaboration from administrative

resources

� Achieve an understanding of the full impact of

purchased solutions

15

Q & A

Thank You!

16

Jason Creech

jcreech@qualys.com