7 Mistakes of IT Security Compliance - and Steps to Avoid Them
Upcoming SlideShare
Loading in...5
×
 

7 Mistakes of IT Security Compliance - and Steps to Avoid Them

on

  • 4,083 views

This presentation describes seven typical IT security compliance errors and outlines the best practices you can immediately apply to your environment to help your company achieve compliance.

This presentation describes seven typical IT security compliance errors and outlines the best practices you can immediately apply to your environment to help your company achieve compliance.

Statistics

Views

Total Views
4,083
Views on SlideShare
4,071
Embed Views
12

Actions

Likes
0
Downloads
142
Comments
0

1 Embed 12

http://www.slideshare.net 12

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

7 Mistakes of IT Security Compliance - and Steps to Avoid Them 7 Mistakes of IT Security Compliance - and Steps to Avoid Them Presentation Transcript

  • Avoiding 7 Common Mistakes of IT Security Compliance Jason Creech Director Product Management, Policy Compliance Qualys, Inc.
  • Agenda Introduction Regulatory Landscape Disparate Needs of Stakeholders Common Compliance Framework Common Compliance Mistakes Lessons Learned Summary 2
  • IT Compliance Overview Ensuring IT compliance with regulatory mandates, industry standards, and internal best practice policies. Risks of non-compliance are significant and can result in substantial financial penalties and negative brand impact. Compliance Programs focus on: – Developing and maintaining IT controls and policies – Gathering data for measuring the operational implementation of controls – Meeting increasingly complex regulations and industry mandates – Meeting different stakeholder needs 3
  • Regulatory Landscape ITIL v3 Today… seeing more standards, PIPEDA (Canada) frameworks, regulations, many industry FDCC/SCAP specific…HIPAA, GLBA, FDCC, PCI NIST SP 800-53 Yet… many regulations are over a PCI Data Security Standard (PCI DSS) decade old and still no standardization EC Data Privacy Directive FISMA 2002 FFIEC IT Exam Handbook California SB 1386 Privacy EU Data Protection Directive BS 7799 / ISO 17799 / 27001 / 27002 HIPAA Security Rule NERC FDA 21 CFR Part 11 (Pharma) Sarbanes-Oxley Basel II Accord GLBA 2000 and 1990s beyond 4 4
  • Disparate Needs of Stakeholders Business Management IT Security • Security & compliance • Consolidate security data summary metrics • Proactively identify threats • Reduce costs of reporting • Prioritize IT risks • Identify areas of risk to the LOB • Assign and verify remediation Different Compliance Needs IT Operations IT Audit • Prioritized and track remediation • Reduce audit costs • Utilize existing remediation tools • Automated view into security data • Closed-loop workflow Closed- • Automate risk & regulatory reporting
  • Common Compliance Framework Simple Compliance Framework Framework Level Regulations SOX CobiT PCI HIPAA COSO NIST Frameworks GRC GLBA ISO17799 NERC Controls Standards Vendors Design BU Managers/Audit Policies, “Example: Vulnerable Processes Standards, Compliance must be eliminated..” Business Requirements SME AIX 5.x Technology Telnet streams are CID 1130 transmitted in clear text, The telnet including usernames and Security Controls passwords. The entire daemon (Manual/Auto) session is susceptible to shall be Operations interception by Threat disabled Agents. Data Procedures Harvesting Procedures and Guidelines and Control Vendors Imp. Guidelines Detail Detailed Enforcement Technical 6
  • 7 Common Compliance Mistakes Decentralized Policy Management Failure to establish a compliance definition Tactical instead of strategic response Failure to test solutions before implementation Treating the audit as a nuisance Lack of buy-in from administrative resources Unaware of the hidden cost of many compliance solutions 7
  • Decentralized Policy Management Issue: Many large corporations manage their security policies across disparate locations. Each region creates their own policies and do not conform to unified standards. Effect: Lack of consistent terminology and reference. Inability to demonstrate cohesive compliance initiative. Incompatible compliance frameworks. Many organizations are now implementing consolidated repositories such as SharePoint or IT GRC solutions to manage policy content. 8
  • Common Compliance Vocabulary Establish the Definition of Basic Concepts Policy Compliance Standard Control Additional: Purpose and Scope Statement: A rationale of why the Control Statement should be implemented (ex: A malicious user may use these accounts to access sensitive information) Datapoint: A check to the technology (system, network, database or application) that validates the control (ex: grep '^+:' /etc/passwd /etc/shadow /etc/group) Exception: An Exception allows an auditor to accept risk and make a control pass 9
  • Tactical vs. Strategic Response Issue: After SOX was put into effect, many organizations responded by creating multitudes of controls to satisfy perceived requirements. Effect: An inability to comply with all the defined requirements. Overwhelmed IT staff trying to keep up. Organizations that used a strategic approach in prioritizing a manageable set of controls were more successful. 10
  • Failure to Test Issue: Some organizations purchased software to automate harvesting of IT compliance data, usually information security tools. Effect: In haste to get solutions implemented, test was nonexistent or inadequate. Solutions did not meet companies compliance needs. Some implementations conflicted with existing functions. Unnecessary costs incurred. 11
  • Treating the Audit as a Nuisance Issue: There are many benefits to an IT audit. The analysis of business functions can identify waste and streamline business processes. But, many organizations see audits as a nuisance and go through the motions for appearance only. Effect: Lack of buy-in from stakeholders Perception of convenience over security can occur System integrity can be inconsistent 12
  • Lack of Buy-In from Administrators Issue: Administrators of IT assets are often used to doing things their own way. They can be very confident of their technical ability and can assume that they are above the rules or can erase evidence. Effect: Some administrators have a tendency to circumvent acceptable process. Policy violations can occur and become evident during an audit. Security issues can be introduced. 13
  • The Hidden Cost of Compliance Solutions Issue: Many software vendors have jumped into the compliance market. Compliance is what is driving the bulk of security software purchases. All vendors focus on improvement in efficiency of compliance process via software automation, but there are hidden costs that should be evaluated as well. Effect: Maintenance of IT systems (Servers, DB’s) increases resources needed. Education of staff on usage of solution Technology of some systems can fall out of currency quickly 14
  • Lessons Learned Centralize policy management and promote consistency Establish common compliance definition and educate Focus on strategic response to maximize efficiency Thoroughly test solutions before implementation Consider audits as part of necessary business analysis Foster buy-in and collaboration from administrative resources Achieve an understanding of the full impact of purchased solutions 15
  • Q&A Thank You! Jason Creech jcreech@qualys.com 16