7 Mistakes of IT Security Compliance - and Steps to Avoid Them


Published on

This presentation describes seven typical IT security compliance errors and outlines the best practices you can immediately apply to your environment to help your company achieve compliance.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

7 Mistakes of IT Security Compliance - and Steps to Avoid Them

  1. 1. Avoiding 7 Common Mistakes of IT Security Compliance Jason Creech Director Product Management, Policy Compliance Qualys, Inc.
  2. 2. Agenda Introduction Regulatory Landscape Disparate Needs of Stakeholders Common Compliance Framework Common Compliance Mistakes Lessons Learned Summary 2
  3. 3. IT Compliance Overview Ensuring IT compliance with regulatory mandates, industry standards, and internal best practice policies. Risks of non-compliance are significant and can result in substantial financial penalties and negative brand impact. Compliance Programs focus on: – Developing and maintaining IT controls and policies – Gathering data for measuring the operational implementation of controls – Meeting increasingly complex regulations and industry mandates – Meeting different stakeholder needs 3
  4. 4. Regulatory Landscape ITIL v3 Today… seeing more standards, PIPEDA (Canada) frameworks, regulations, many industry FDCC/SCAP specific…HIPAA, GLBA, FDCC, PCI NIST SP 800-53 Yet… many regulations are over a PCI Data Security Standard (PCI DSS) decade old and still no standardization EC Data Privacy Directive FISMA 2002 FFIEC IT Exam Handbook California SB 1386 Privacy EU Data Protection Directive BS 7799 / ISO 17799 / 27001 / 27002 HIPAA Security Rule NERC FDA 21 CFR Part 11 (Pharma) Sarbanes-Oxley Basel II Accord GLBA 2000 and 1990s beyond 4 4
  5. 5. Disparate Needs of Stakeholders Business Management IT Security • Security & compliance • Consolidate security data summary metrics • Proactively identify threats • Reduce costs of reporting • Prioritize IT risks • Identify areas of risk to the LOB • Assign and verify remediation Different Compliance Needs IT Operations IT Audit • Prioritized and track remediation • Reduce audit costs • Utilize existing remediation tools • Automated view into security data • Closed-loop workflow Closed- • Automate risk & regulatory reporting
  6. 6. Common Compliance Framework Simple Compliance Framework Framework Level Regulations SOX CobiT PCI HIPAA COSO NIST Frameworks GRC GLBA ISO17799 NERC Controls Standards Vendors Design BU Managers/Audit Policies, “Example: Vulnerable Processes Standards, Compliance must be eliminated..” Business Requirements SME AIX 5.x Technology Telnet streams are CID 1130 transmitted in clear text, The telnet including usernames and Security Controls passwords. The entire daemon (Manual/Auto) session is susceptible to shall be Operations interception by Threat disabled Agents. Data Procedures Harvesting Procedures and Guidelines and Control Vendors Imp. Guidelines Detail Detailed Enforcement Technical 6
  7. 7. 7 Common Compliance Mistakes Decentralized Policy Management Failure to establish a compliance definition Tactical instead of strategic response Failure to test solutions before implementation Treating the audit as a nuisance Lack of buy-in from administrative resources Unaware of the hidden cost of many compliance solutions 7
  8. 8. Decentralized Policy Management Issue: Many large corporations manage their security policies across disparate locations. Each region creates their own policies and do not conform to unified standards. Effect: Lack of consistent terminology and reference. Inability to demonstrate cohesive compliance initiative. Incompatible compliance frameworks. Many organizations are now implementing consolidated repositories such as SharePoint or IT GRC solutions to manage policy content. 8
  9. 9. Common Compliance Vocabulary Establish the Definition of Basic Concepts Policy Compliance Standard Control Additional: Purpose and Scope Statement: A rationale of why the Control Statement should be implemented (ex: A malicious user may use these accounts to access sensitive information) Datapoint: A check to the technology (system, network, database or application) that validates the control (ex: grep '^+:' /etc/passwd /etc/shadow /etc/group) Exception: An Exception allows an auditor to accept risk and make a control pass 9
  10. 10. Tactical vs. Strategic Response Issue: After SOX was put into effect, many organizations responded by creating multitudes of controls to satisfy perceived requirements. Effect: An inability to comply with all the defined requirements. Overwhelmed IT staff trying to keep up. Organizations that used a strategic approach in prioritizing a manageable set of controls were more successful. 10
  11. 11. Failure to Test Issue: Some organizations purchased software to automate harvesting of IT compliance data, usually information security tools. Effect: In haste to get solutions implemented, test was nonexistent or inadequate. Solutions did not meet companies compliance needs. Some implementations conflicted with existing functions. Unnecessary costs incurred. 11
  12. 12. Treating the Audit as a Nuisance Issue: There are many benefits to an IT audit. The analysis of business functions can identify waste and streamline business processes. But, many organizations see audits as a nuisance and go through the motions for appearance only. Effect: Lack of buy-in from stakeholders Perception of convenience over security can occur System integrity can be inconsistent 12
  13. 13. Lack of Buy-In from Administrators Issue: Administrators of IT assets are often used to doing things their own way. They can be very confident of their technical ability and can assume that they are above the rules or can erase evidence. Effect: Some administrators have a tendency to circumvent acceptable process. Policy violations can occur and become evident during an audit. Security issues can be introduced. 13
  14. 14. The Hidden Cost of Compliance Solutions Issue: Many software vendors have jumped into the compliance market. Compliance is what is driving the bulk of security software purchases. All vendors focus on improvement in efficiency of compliance process via software automation, but there are hidden costs that should be evaluated as well. Effect: Maintenance of IT systems (Servers, DB’s) increases resources needed. Education of staff on usage of solution Technology of some systems can fall out of currency quickly 14
  15. 15. Lessons Learned Centralize policy management and promote consistency Establish common compliance definition and educate Focus on strategic response to maximize efficiency Thoroughly test solutions before implementation Consider audits as part of necessary business analysis Foster buy-in and collaboration from administrative resources Achieve an understanding of the full impact of purchased solutions 15
  16. 16. Q&A Thank You! Jason Creech jcreech@qualys.com 16