Compliance versus Security: Looking for Gold in a Coal...
Transcript of Compliance versus Security: Looking for Gold in a Coal...
Compliance versus Security: Looking for Gold in a Coal Mine Kristy Westphal Information Security Officer Element Payment Services ISSA- January 14, 2014
Agenda
• What does it mean to be compliant or secure? • Standards/regulations that apply • Finding the gold in the coal • Putting it to use in your organization
Houston…
• There is a problem • We used to use compliance to get security tools
in place • But then we got the tools and didn’t do the right
thing with them • I argue that we still are not communication risk
to upper management
Let’s get this straight
• Compliance DOES NOT EQUAL security • Target • Heartland • Hannaford • The Briar Group • Even the Federal Reserve….
• But why?
Because I said so!
• PCI is prescriptive ▫ But limited in scope
• HIPAA, SOX, ISO27001 ▫ All provide a pathway, but don’t dig into the
details • NIST is VERY detailed ▫ But it’s not prioritized and many outside the Fed
won’t implement
Maybe audits look a little like..?
My version of the compliance audit
PANIC Set audit date
Make up what’s missing
Prep team how to talk to an auditor
Convince auditor processes are pristine
Get clean audit/ remediation items
Organize phone books of docs
Scramble for remediation items not done from last time
It sure doesn’t look like this
Or this…
OK, it’s not ALL bad
• Regular review of documentation • You do get to implement tools (they have to
produce a report somehow) • Compliance does avoid some fines and jail time
But…
• If you only document compliance related stuff • But do you know what the reports you produce
mean? • But if you still get attacked…then WTF?
True Cost of Compliance • We define a compliance activity as one that
organizations use to meet the specific rules, regulations, policies and contracts that are intended to protect information assets.
• We define non-compliance cost as the cost that results when an organization fails to comply with rules, regulations, policies, contacts, and other legal obligations.
• Although all organizations that participated in this study experienced both compliance and non-compliance costs, the findings demonstrate the value of investing in activities that may help an organization reduce the reactive costs of non-compliance.
Saying a lot while saying nothing
Where do we start mining?
• Understand the scope of your compliance environment ▫ Ensure it is well documented
• Understand the business priorities • Dissect your compliance reports ▫ Is the effort of what you are doing worth it? ▫ Is there a compliance aspect that should apply
elsewhere? ▫ Is there a better way to do things?
Let’s take a look at PCI (look at the pic! We’re done!)
Just kidding
Still messing with you
HIPAA • §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) -
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
• Conduct Risk Assessment ▫ Inquire of management as to whether formal or informal policies or practices exist
to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
▫ Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.
▫ Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity's environment.
▫ Determine if the covered entity risk assessment has been conducted on a periodic basis.
▫ Determine if the covered entity has identified all systems that contain, process, or transmit ePHI
More HIPAA! • §164.308(a)(1)(ii)(b) - Implement security measures
sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with
• §164.306(a)Implement a Risk Management Program ▫ Inquire of management as to whether current security
measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). ▫ Obtain and review security policies and evaluate the
content relative to the specified criteria. ▫ Determine if the security policy has been approved and
updated on a periodic basis. ▫ Determine if security standards address data moved within
the organization and data sent out of the organization.
SOX • There is typically something related to: upper
management needs to understand what is going on.
• So how do you dig deep into this enough to provide what they need? ▫ What metrics do you provide today? ▫ Do you explain what they mean? ▫ Better yet- are you sure they understand what they
mean?
SOX
• Tracking of security incidents • Typically, this is just a process to show that
1) You report security incidents 2) You track them
• But do you actually do anything like: ▫ Prepare ▫ Detect/Analyze ▫ Contain/Eradicate/Recover ▫ Post-mortem/Remediation
Top priorities
• Use application “whitelisting” to help prevent malicious software and other unapproved programs from running.
• Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, and web browsers. These applications are in daily use in most companies.
• Patch operating system vulnerabilities, for the same reasons discussed above.
• Minimize the number of users with administrative privileges, the highest level of authority to make changes or undertake actions on a network.
OK, great, now you have it
• But does anyone else? • How do you translate what you just did into
something management understands. • Get out the risk decoder ring!
First, let’s try to explain the difference • Security- protects stuff • Compliance- necessary due diligence- a cost of
doing business • But, we can reduce risk to the business by
prioritizing both
What risks are truly at stake?
• Tripwire/Poneman Institute paper says non-compliance far outweighs cost of compliance
• So show that value • Publish metrics: ▫ I bet an astounding number of spam and other
malicious emails get blocked every day ▫ How much do your WAFs block every day? ▫ DLP tools? ▫ What volume of log files are reviewed daily?
Also…
• Do a real risk assessment. Full stop. ▫ Don’t just do a random risk register ▫ Stand back and take a look at the whole business
from a security perspective ▫ This is one where you don’t want too much in the
weeds… ▫ But enough to express the bad stuff
For example
• Do your developers push code directly into production without change management?
• Do you know what really goes on inside your network?
• How about what actually leaves your network? • Have you looked at indicators of compromise?
Align with business risk
• IT risk should be hand in hand with other areas- like operational, reputational, financial risk
• If you don’t know what these are- start asking people who would know
• Be prepared to show how your program ties back • Let’s look at an example
Third party risk assessments
• Should not only be for IT (and if they are…run away!)
• Should start with the business risks and include a component of IT risk
• IT risk may indicate problems where others aren’t looking:
• Like a partner whose domain name is registered in the Ukraine
In summary
• What have we learned? • Time for the game of
Resources
• http://csis.org/publication/raising-bar-cybersecurity
• http://www.tripwire.com/tripwire/assets/File/ponemon/True_Cost_of_Compliance_Report.pdf