Most organizations tend to focus on becoming compliant rather than being secure. And while meeting client requirements and industry regulations is very important, it does not necessarily guarantee that your organization is secure. If your entire information security program is based on “What must we do to be compliant?”, you’re probably missing some major holes in your security infrastructure. So, what is the key to finding the balance between compliance and security? Let’s look at some recent examples to learn more.
Finding the Balance Between Compliance and Security
If you are keeping up with the headlines on recent data breaches, you’ll notice that several organizations that have experienced breaches of cardholder data, protected health information, or personally identifiable information have something in common – they were all declared compliant. However, they were lacking the necessary security controls to prevent a major data breach from occurring. So, what else should we be doing when compliance doesn’t seem to be enough?
4 Ways to Ensure Security and Maintain Compliance
When you look at the big picture, you’ll come to understand that compliance is a reporting function and the way in which your organization demonstrates that your information security program meets a specific set of requirements. If you’re simply checking the box for the sake of compliance, there’s a big chance you may miss something. However, if the focus of your organization is security, then the compliance piece will fall into place. Here are four things your organization can do to ensure security and maintain compliance:
Secure Software Development
Secure software development is imperative to any information security program. While many industry standards mandate secure software development, they don’t always give clear instructions on how. Maintaining a software development life cycle (SDLC) helps to establish a framework that defines each task that should be performed during each step in the software development process. The purpose of an SDLC is to help maintain a secure environment that supports business needs and is comprised of policies, procedures, and standards that describe how to develop, maintain, and replace specific software. By utilizing an SDLC in your secure software development process, you can ensure security and maintain compliance.
Encryption and Key Management
If you are encrypting data, it’s important to evaluate any sensitive data that may be in your environment and ask yourself if you truly need the data. Is it absolutely necessary for your business practices? If not, it needs to be securely purged. This will help to eliminate any unnecessary risk to your organization. Your encryption key management program needs to be fully documented. As part of this program you must be generating strong keys and ensuring secure key distribution. Keys must also be protected during storage with a key-encrypting-key, they must be replaced when they are weakened or suspected of a compromise, and there must be a process in place to prevent unauthorized key substitution. Implementing these practices can help to ensure security and maintain compliance with applicable frameworks.
Hardening and System Patching
Our auditors find that about 75% of the assessments performed have a finding related to patching. Patch management is only part of an overall program that your organization needs to implement. Your patch management program should include policies and procedures on how updates are deployed, the frequency that items will be reviewed, the timing requirements for deploying a critical patch, and the testing requirements and methods. It should also include any necessary tools that will be used to identify missing patches or vulnerabilities and requires that staff be sufficiently trained to address identified issues, anti-virus, file integrity monitoring (FIM), and log review. Your vulnerability identification program is a great way to ensure security and maintain compliance. Your program should involve monitoring multiple sources for known vulnerabilities, monitoring vendor sites for patches and updates, risk ranking identified vulnerabilities as it would apply to your organization, and finding ways for identifying zero-day attacks.
Firewall and Router Management
Organizations today should use data breach examples as motivation to focus on maintaining a secure environment, rather than just focusing on becoming compliant. Firewall and router management are important aspects to focus on when maintaining a secure environment. When thinking about best practices for firewall and router management, it’s important to look at your networking gear as a whole. Managing the security of a device goes much further than the device itself. Three areas to focus on when managing your firewall and router security are the security of physical devices, operating system security, and maintaining secure traffic rules.
Implementing these four practices into your organization’s security posture can help prevent your organization from being the next major headline. Focusing on security rather than merely compliance will help ensure that your organization can withstand a malicious attack from happening, while the compliance function still falls into place.
For more information on enhancing the security posture at your organization, contact me today at s.morris@kirkpatrickprice.com.
Sarah Morris is a guest blogger from auditor KirkpatrickPrice. The original blog post may be found here. For additional information on security program best practices, visit the Center for Internet Security (CIS) or contact Sarah at s.morris@kirkpatrickprice.com.