Compliance Doesn't Have to be Painful

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/opinions/compliance-doesnt-have-to-be/

Perhaps the most surprising fact about last year’s slew of data breaches is
that the organizations that made headlines were considered compliant with
at least one of the common security frameworks, such as PCI-DSS or HIPAA.

Observers may scratch their heads and wonder if these standards do any good
at all. But compliance is not pointless – organizations are just placing
far too much emphasis on the compliance certification and not enough on the
compliance process. The end goal should not be the piece of paper with a
stamp of approval. Companies should be working diligently to identify and
mitigate risks threatening confidentiality, integrity or availability of
systems and data.

Two of the nation’s largest data breaches cost their respective companies
approximately $100m each last year. Smaller organizations with less data to
steal will pay less, but it’s an unnecessary expense that could be avoided
via proper risk management on the front end.

Rather than a mere checklist from an external governing body, proper risk
management is an ongoing process. It takes into account the unique nature
of each organization. While compliance programs such HIPAA, PCI, FISMA and
others are a great starting point, they can’t identify all areas of risk in
an organization. Each organization must do that for itself.

Compliance checklists can never provide the level of security that risk
management can. If you don’t have a risk management program, start small
and use the free resources available at http://csrc.nist.gov.

How Expensive is Non-Compliance?

The Ponemon Institute conducted an independent study, The True Cost of
Compliance, which revealed that the cost of non-compliance (i.e. penalties
and fines) is far greater than compliance. When researchers adjusted the
total cost of compliance by organizational headcount, they found that
compliance cost $222 per employee, while the cost for non-compliance came
to $820 per employee.

The frequency of internal compliance audits, according to the study, is
inversely related to per capita non-compliance costs. In other words, the
more internal audits you perform successfully, the lower your chances of
failing a real compliance audit. The cost of non-compliance goes beyond
fees, penalties, and legal costs; it disrupts the normal business
processes, reduces productivity and creates tremendous stress on the
individuals involved.

Internal Audits Made Easier

Everyone understands that compliance is a requirement, but compliance
auditing seems like a labor-intensive and difficult task.

Fortunately, compliance audits aren’t what they used to be. Automated
monitoring offers peace of mind and streamlined processes. There are
solutions today that provide the benefit of a single-pane-of-glass view of
corporate network infrastructure. Some products go even further, providing
pre-configured rules and reports, many of which are designed specifically
to make preparing for compliance audits as easy as a click of the mouse.

Rather than commandeering IT resources two weeks before audit reports are
due, IT managers should consider solutions that generate compliance reports
automatically for the following: PCI DSS, SOX, NERC, GLBA, GPG13, FISMA,
COBIT, ITIL, ISO, HIPPA and SANS Critical Controls.

IT staff are more able to discover new – and potentially rogue – devices on
the network using a compliance monitoring solution. It also enables a more
efficient alert system. Imagine being able to view the entire network at a
glance. This kind of functionality also helps isolate the root cause of
security and network issues, which is of particular value in virtualized
environments where problem root causes change over time.

Another benefit of using automated monitoring for compliance is immediate
ROI. As an example, a financial services firm was required to produce
quarterly GLBA compliance reports. It was a full-time job for three IT
system administrators for three weeks per quarter. During this time, they
would manually parse terabytes of logs to find all instances of specific
security events such as unauthorized server access.

All of this activity was drastically reduced when the firm implemented an
automated monitoring solution. Those events were instantly tracked,
correlated and delivered as pre-configured reports and dashboards. In
addition to automating GLBA compliance for security, the company also
gained health-of-network visibility into server and application performance
and availability.

Increasing the Odds of Success

As companies endeavor to protect their critical data, maintaining
compliance with IT security mandates such as PCI, SOX and HIPAA is more
important than ever before. However, as we continue to see, compliance does
not necessarily equal security. Rather than simply checking off a list of
compliance requirements, organizations are best served by paying attention
to their specific compliance process.

As recent research showed, conducting internal compliance audits is
extremely valuable. Organizations have avoided them in the past due to
their heavy time burden and complexity, but an automated process for
reporting and compliance saves employee hours and increases the likelihood
of success should an external audit come to pass.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!