Organizations are placing far too much emphasis on the compliance certification and not enough on the compliance process
by: Dan Maloney, for infosecurity
Perhaps the most surprising fact about last year’s slew of data breaches is that the organizations that made headlines were considered compliant with at least one of the common security frameworks, such as PCI-DSS or HIPAA.
Observers may scratch their heads and wonder if these standards do any good at all. But compliance is not pointless – organizations are just placing far too much emphasis on the compliance certification and not enough on the compliance process. The end goal should not be the piece of paper with a stamp of approval. Companies should be working diligently to identify and mitigate risks threatening confidentiality, integrity or availability of systems and data.
Two of the nation’s largest data breaches cost their respective companies approximately $100m each last year. Smaller organizations with less data to steal will pay less, but it’s an unnecessary expense that could be avoided via proper risk management on the front end.
Rather than a mere checklist from an external governing body, proper risk management is an ongoing process. It takes into account the unique nature of each organization. While compliance programs such HIPAA, PCI, FISMA and others are a great starting point, they can’t identify all areas of risk in an organization. Each organization must do that for itself.
Compliance checklists can never provide the level of security that risk management can. If you don’t have a risk management program, start small and use the free resources available at http://csrc.nist.gov.
How Expensive is Non-Compliance?
The Ponemon Institute conducted an independent study, The True Cost of Compliance, which revealed that the cost of non-compliance (i.e. penalties and fines) is far greater than compliance. When researchers adjusted the total cost of compliance by organizational headcount, they found that compliance cost $222 per employee, while the cost for non-compliance came to $820 per employee.
The frequency of internal compliance audits, according to the study, is inversely related to per capita non-compliance costs. In other words, the more internal audits you perform successfully, the lower your chances of failing a real compliance audit. The cost of non-compliance goes beyond fees, penalties, and legal costs; it disrupts the normal business processes, reduces productivity and creates tremendous stress on the individuals involved.
Internal Audits Made Easier
Everyone understands that compliance is a requirement, but compliance auditing seems like a labor-intensive and difficult task.
Fortunately, compliance audits aren’t what they used to be. Automated monitoring offers peace of mind and streamlined processes. There are solutions today that provide the benefit of a single-pane-of-glass view of corporate network infrastructure. Some products go even further, providing pre-configured rules and reports, many of which are designed specifically to make preparing for compliance audits as easy as a click of the mouse.
Rather than commandeering IT resources two weeks before audit reports are due, IT managers should consider solutions that generate compliance reports automatically for the following: PCI DSS, SOX, NERC, GLBA, GPG13, FISMA, COBIT, ITIL, ISO, HIPPA and SANS Critical Controls.
IT staff are more able to discover new – and potentially rogue – devices on the network using a compliance monitoring solution. It also enables a more efficient alert system. Imagine being able to view the entire network at a glance. This kind of functionality also helps isolate the root cause of security and network issues, which is of particular value in virtualized environments where problem root causes change over time.
“Rather than simply checking off a list of compliance requirements, organizations are best served by paying attention to their specific compliance process”
Another benefit of using automated monitoring for compliance is immediate ROI. As an example, a financial services firm was required to produce quarterly GLBA compliance reports. It was a full-time job for three IT system administrators for three weeks per quarter. During this time, they would manually parse terabytes of logs to find all instances of specific security events such as unauthorized server access.
All of this activity was drastically reduced when the firm implemented an automated monitoring solution. Those events were instantly tracked, correlated and delivered as pre-configured reports and dashboards. In addition to automating GLBA compliance for security, the company also gained health-of-network visibility into server and application performance and availability.
Increasing the Odds of Success
As companies endeavor to protect their critical data, maintaining compliance with IT security mandates such as PCI, SOX and HIPAA is more important than ever before. However, as we continue to see, compliance does not necessarily equal security. Rather than simply checking off a list of compliance requirements, organizations are best served by paying attention to their specific compliance process.
As recent research showed, conducting internal compliance audits is extremely valuable. Organizations have avoided them in the past due to their heavy time burden and complexity, but an automated process for reporting and compliance saves employee hours and increases the likelihood of success should an external audit come to pass.
About the Author
Dan Maloney is vice president of marketing and business development for AccelOps, bringing nearly 20 years of experience in the enterprise software arena. He was at SAP for 12 years, where he held a variety of leadership roles, including global vice president of business development.
Adopt the Tools You Need
SureView® Insider Threat, by Raytheon|Websense will ensure and enforce that compliance, while offering complete audit trails for all noncompliance events.
SureView Insider Threat provides an integrated suite of pre-breach preventive services aimed at ensuring compliance with the myriad governing statutes, regulations, rules, and industry best practices.
What’s more, our legal team develops corporate guidelines of acceptable use, called ‘policies’. These policies protect data access and usage across the enterprise in a manor conforming to compliance rules and regulations. Furthermore, these same policies are then utilized by SureView, which translates them into detailed ‘e-policies’ governing employees’ access, use, and transmission of data in real time. SureView Insider Threat then generates regular audit reports showing whether and to what extent users are following policies and where problems need to be addressed… and compliance enforced.
The result is Data-security Compliance on two closely related levels: legal compliance by the organization, and technical enforcement of acceptable use compliance by its employees.