Until fairly recently, information security people were buried away in server rooms configuring firewalls and patching servers. With the sudden influx of compliance and regulatory requirements being placed onto a business, sometimes quite unenthusiastic IT security people have now been pulled into understanding and often helping to implement compliance solutions.
But how can security teams help join the dots between their security work and compliance issues? How can compliance requirements be met without placing undue strain on the organisation causing paralysis by analysis? How can information security people add value to a business following a compliance agenda?
Let’s take a look.
A demanding role
I would imagine that everyone knows only too well the demands on us as information security professionals. I think it could be argued that we have one of the most difficult jobs in the IT business as we need to be seen to add value whilst at the same time often saying no - often a contradictory position.
As the current financial situation bites we are faced with doing more with less, and organisations are increasingly worried about reputational risk more than ever before, as any damage to the business will have an affect on often slim profits. This work needs to be balanced with the relentless slog of dealing with malware and other unexpected gotchas waiting in the wings to pounce.
Some of us are lucky enough to enjoy a lot of support from the executive team downwards. Unfortunately other boards may see the information security role as nothing but a pain and something they wish they could make go away. If this is your position you have my sympathies!
The demands of a business culture that is becoming more and more compliance oriented can be major. The problem is that this change in culture leads to some strange ideas.
One objection to additional security spend I hear from businesses is that they are fully compliant, as proved by external auditors, and therefore don’t need much or any more investment in their IT security systems.
Some business managers are then astonished when they realise that security has been breached, especially after they had spent considerable sums on establishing this compliant business environment. Indeed the fact that the business is compliant, whatever that means, has induced a level of complacency in some as regards information security.
IT security managers have a need to help educate business managers in the differences between compliance and security. That way a business can make investment decisions based on accurate information rather than assumptions.
Achieving compliance, in the broadest sense of the word, can be a good thing as it often instils good practices and procedures. On the other hand, over-compliance can be detrimental as the business can be bogged down in achieving a goal that delivers little direct business benefit.
I feel for medium sized businesses that are captured by the compliance net but have little or no resources to meet what can be seen as an onerous requirement. Fortunately some compliance and regulatory demands have planned for this and offer suitable break points so that small and medium sized business don’t fall foul of regulations whilst being able to run their day to day business.
PCI-DSS is probably one of these regulations that appears to have got this balance as right as they can, and organisations that I work with are generally satisfied that they can achieve their required level of PCI-DSS compliance with it breaking their businesses.
If you take a look at the 12 requirements of PCI DSS no one could argue against the sanity of putting in place these measures:
- Build and maintain a secure network, including installing and maintaining a firewall configuration to protect cardholder data and not using default passwords.
- Protect cardholder data and encrypt transmission of cardholder data across open, public networks.
- Maintain a vulnerability management program and use regularly updated anti-virus software. Develop and maintain secure systems and applications.
- Implement strong access control measures and restrict access to cardholder data on a need-to-know basis. Assign a unique ID to each person with computer access and restrict physical access to cardholder data.
- Regularly monitor and test networks and track and monitor all access to network resources and cardholder data.
- Maintain a policy that addresses information security.
I don’t see how any information security professional could argue against implementing these requirements as they all go to make up a commonsense set of security structures. Having recently had my credit card details stolen I am as keen as anyone to see merchants achieve a better level of security and compliance.
Contrast this with Sarbanes-Oxley which imposes rather mystical requirements on information security. For example, section 404 requires organisations to “provide internal controls and report on their effectiveness” and section 802 says that organisations must “ensure the integrity and availability of records”. This is a charter for auditors to make a lot of money!
Undoubtedly, adherence to compliance requirements can assist an organisation trying to achieve funding or a possible sale. In my experience of working in mergers and acquisitions during various due diligence investigations, any non-compliance is often rapidly uncovered leading to increased suspicions concerning the overall management and health of the business.
The knock-on effect to corporate valuations and exit multiples can have a direct, profound affect on the principals - especially in smaller businesses.
For many organisations the scale of the current and looming compliance challenge is huge.
Here is a sample of some acts that need to be considered for organisations working in the EU. Not all of them apply to every sector, industry or geography which makes things even more complicated when trying to unearth which acts you should be worrying about. Adoption will vary on a country by country basis - getting expert help that can interpret these regulations is vital to avoid falling foul of some regulation or other.
Two European directives were issued by the European Union Council of Ministers aiming to create more transparency and public confidence in the operations of companies operating within the EU.
The 8th EU Company Law Directive (commonly referred to as EuroSox - the official name is "Directive 84/253/EEC") became EU law in 2008 and is designed to strengthen the standards and public accountability of the audit profession. EuroSox also aims to enhance confidence in financial statements and annual reports from European companies.
The plan is that EuroSox will be incorporated into local national company laws, therefore penalties will vary from member state to member state. 12 member states had enacted EuroSox by July 2008 and the UK implemented it as part of the Companies Act 2006.
EuroSox demands that IT maintains accurate, dependable records with full audit trails of any data changes. Management will expect accurate and dependable reports created from within IT systems, which, in turn, will need to be secured to meet auditor approval. Data must be protected from unauthorised access.
Whilst the directive doesn't mandate a specific standard or framework it clearly shows that international standards and frameworks such as ISO 27001/27002 and COBIT are useful to ensure that the company will pass an audit of their internal IT controls and information security management.
These ISO standards are often in a state of flux, but essentially:
- The ISO 27001 standard, published in October 2005, more or less replaced the old BS7799-2 standard which it enhanced and standardised.
- The ISO 27002 standard is a code of practice for information security and is the renamed ISO 17799 standard. In essence it outlines hundreds of control mechanisms which may be implemented subject to the guidance provided within ISO 27001.
With many of these standards still being evolved compliance and standards adherence can be a minefield.
As we have seen, compliance is now a big requirement for many businesses and I think most people would agree that the depth and breadth of compliance requirements is only going to deepen.
As organisations switch onto the world of compliance they realise that it is far more cost effective to run compliant systems 24/7 rather than hastily scrabble to clean up prior to an audit. Those days should be long gone and organisations should ideally be “audit ready” at all times, or at least strive to be.
Any investments in systems that assist in gathering data and then produce compliance documentation will inevitably be proven to be a wise one, if even in the short term there is some practical and fiscal pain in purchasing and implementing the system.
This is where knowing the unknowns can pay dividends. I worked with a very large organisation recently that was feeling under pressure to come up to scratch from a compliance viewpoint. The IT infrastructure was (and indeed is) huge, and quite frankly systems, servers, networks and deployments ran away with themselves for a number of years. The IT management was feeling overwhelmed and needed to try and get a grip. To that end they installed and configured some automatic discovery tools to try and scan the network to see how it matched with their “official” documentation. The scale of additional network segments, hidden wireless access points, secret departmental databases and a wealth of other unauthorised IT was very, very frightening. This shook up the management and lead to a far more structured planning and network management process. Luckily they managed to get most of these issues addressed prior to a looming audit.
We, as information security professionals, need to be adding value to the business. Instead of being seen as the people that say no, we should be a conduit to ease the implementation of compliance systems. By understanding not only the technical challenges of compliance requirements but also the business context we can be seen to add value from the off.
The good news is that, as we have seen, investing in compliance can also help us deliver a secure working environment. That said, it is beholden on us to ensure the business really understands the difference between compliance and security but at the same time sees the improved business case of delivering appropriate security projects on the back of a compliance requirement.
In our industry nothing stays still for long.
A word of caution now needs to be sounded about cloud based systems and compliance. The race to the cloud has seen a number of organisations fall foul of data protection regulations and issues such as data privacy. Of course the cloud delivers some interesting business benefits but these must be balanced against the associated security and regulatory issues - joining the dots between security and compliance initiatives when talking about cloud computing can be very tricky.
The good news is that aligning information security and compliance, although a challenge, is probably getting easier now than it was up until a couple of years ago. The availability of tools to help in this process should reduce the compliance headache and help us get some value out of the compliance process.
I will leave you with one last thought. Here in the UK, after the second world war, lots of people were driving cars which were in pretty bad repair - brakes were poor, lights were damaged and steering was often ropey. This lead to accidents and injuries that could have been prevented. In 1960 the Ministry of Transport introduced a compulsory test, now commonly called the MOT, on all vehicles over 10 years old in an effort to ban the most dangerous cars from the road. Over time the age of annual tests reduced to its current of 3 years and the breadth and depth of the MOT has now expanded to incorporate new technologies such as catalytic convertors.
Is the growth in IT related regulations and compliance requirements following a similar trajectory to the evolution of the MOT test?
All in all we now see far fewer “old bangers” on the road than at anytime in the past and I wonder whether we will benefit in seeing fewer data breaches and security lapses as computer systems are put through regular audits or MOTs.
Of course the mistake many people make when buying a car is to assume that a current MOT certificate is proof that a vehicle is roadworthy. Of course it isn’t - all it means is that at the time of testing the car was able to pass the MOT test.
In a similar way a computer system may pass an audit but very rapidly collapse into a state of non-compliance due to mismanagement. Constant attention to audit and compliance is the only sensible way to manage these needs.
Who knows, with the development of decent compliance and regulations we may see less dangerous IT systems and fewer data loss accidents, crashes and mishaps!