Regulatory pressures vary to some degree by industry and regulation, but in general, they can be dealt with by tailoring an information security program and architecture to provide the necessary
elements of risk management, policy development, active monitoring, incident response, documentation, reporting and organizational security awareness. Though no one product or mechanism can serve as a complete information security solution, maintaining an acceptable level of risk can be achieved. Through a combination of program and process elements, effective management and expertise and use of the right tools, security compliance management can ensure compliance success. This means that publicly-held organizations that maintain electronic protected health information (ePHI) can meet HIPAA and Sarbanes-Oxley requirements and retail companies that process credit card information can better meet PCI-DSS mandates.
Most laws, regulations, and guidelines identify common IT security practices that help to establish a continuous security compliance management program. While these requirements may apply to
different industries and government, the mandates are based on a common foundation of recognized best-practice risk management principles. These “common security compliance threads” that help secure corporate assets and information while enabling them to meet compliance are:
- Risk Assessment: Maintain an ongoing information security risk assessment program, providing the necessary visibility into the infrastructure to assess and manage risk on a real-time and historical basis.
- Access Controls: Only allow access for authorized individuals and devices and disallow to all others.
- Sensitive Data Protection: Implement administrative, technical, and physical safeguards to protect sensitive nonpublic corporate information and private customer data.
- Vulnerability & Threat Assessment: Perform periodic network scans to identify vulnerabilities.
- Firewalls: Establish a firewall policy that states management’s expectation for how the firewall should function as a component of the overall security policy. The firewall selection and policy should stem from the ongoing security risk assessment process.
- IDS & IPS: Implement IDS and IPS capabilities to help detect, prevent, and respond to intrusion activities.
- PatchManagement: Ensure that patch management standards include procedures for identifying, evaluating, approving, testing, installing, and documenting software patches.
- Change Management: Fully authorize, track, and document all security policy and process changes.
- Configuration Management: Develop baseline standards that define the original versions for hardware, software, services, documentation, and security settings. Then evaluate, approve, document and disseminate all changes to baseline versions.
- Logging: Take reasonable steps to ensure that sufficient data is collected from secure logs files on all network devices and critical applications. Then identify and respond to security incidents and monitor and enforce policy compliance.
- Monitoring: Actively gather and analyze data in real-time on new threats and vulnerabilities, actual attacks, and the effectiveness of their security controls.
- Reporting: Report on the status of information security and security events. Such materials include matters related to the adequacy of internal controls, risk management and control decision, security breaches, and other events that could negatively affect shareholder value of the customer.
- Rapid Response: Identify that a material event (such as negatively affecting shareholder value or the customer) has occurred, assess the effect on the company and customer, take remedial action, and notify appropriate parties such as customers, regulators, and shareholders. The Securities and Exchange Commission has specified a “48-hour” response, while other regulatory bodies have specified a “reasonable” amount of time.
- Intrusion/Incident Response: Establish a formal response program based on the full cycle of incident management: event detection, evidence collection and archiving, ticketing, prioritization, mitigation, and resolution as events occur. This minimizes damage to the operation and customers through containing the intrusion, restoring systems, and providing assistance where needed.
- Business Continuity: Facilitate business continuity through management documenting, maintaining, and testing the business continuity plan and back-up systems on a periodic basis to mitigate the risk of system failures and unauthorized intrusions.
Understanding these common security compliance threads enables organizations to adopt a more proactive and cost- effective security compliance management initiative. A key success factor for
enabling compliance with these common threads is an organization’s ability to select and adopt the right technology to address a broad range of these mandates. Done right, security compliance
management leverages the best resources, the right technology solutions, and prudent practices to foster a culture of ongoing security risk management. As a result, achieving compliance becomes a “by-product” of implementing optimal security management.