How to "Green" Security Compliance
Security consultant Diana Kelley outlines several key areas where enterprises can green their security compliance programs.
Green IT is getting a lot of buzz these days: partly because buzz attracts readers, but also because IT managers are being pressured to keep costs down by deploying more energy efficient data centers and fewer racks and servers. One area where you may not hear the green meme thrown around a lot is compliance, but there are a number of ways the concepts of reduce and reuse can be applied to your compliance program. Buzzword or not, the core tenets of the green movement - efficient use of resources, reducing environmental impact, removing waste - are concepts most IT professionals involved in compliance can get behind. In this article well take a look at several key areas where organizations can green their compliance programs.
Normalization and mapping
Many of the same control objectives are identified in different compliance directives. Unfortunately regulations and mandates dont come with an auto-translate feature, so it can be extremely challenging to understand where the control objectives intersect with specific technical controls.
Consider the control objective of protecting access to sensitive or protected data as it is translated into the technical control for individual logins in HIPAA and NERC. HIPAA requires unique logins, but NERC allows shared logins if additional controls are in place. An energy and a health standard may seem like odd bedfellows in the same organization, but the 2009 HITECH Act [.pdf] extends protection of electronic private health information (PHI) to business associates, which can include any organization that does business with the covered entity and discloses or manages related PHI. Looking at the regulations:
A covered entity must, in accordance with Sec. 164.306 . . . Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights . . . Implementation specifications: Unique user identification (Required).
2. North American Electric Reliability Corporation (NERC) CIP-007-2, Cyber Security - Systems Security Management
R5.2.2. The Responsible Entity shall identify those individuals with access to shared accounts.
R5.2.3. Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination).
If an organization has already gone through the process of implementing unique logins and limiting access for HIPAA, complying with the NERC reliability standards may not require any new policies or technology. However, if the organization is NERC-compliant and now must be HIPAA/HITECH-compliant there may be an exposure if shared accounts are in use on systems that transmit, store, or process PHI.
Assessing the impact manually could be time-consuming. But an organization can much more readily assess compliance if theyve already intelligently mapped their compliance model: derived compliance objectives from regulatory requirements, mapped control objectives to required technical controls, and finally defined scope to target individual systems and devices within the IT infrastructure. Are the shared accounts on a system that is isolated from PHI? If so, no changes may be required, if not, the compliance gap is clear and new controls must be implemented.
Organizations have a number of options for creating normalized compliance maps. The company can opt to do the work themselves, either with in-house resources or by hiring an external consulting firm. Many of the IT-GRC tools (for example RSA-Archer and Symantec) provide compliance mapping functionality within their consoles. Another option is to purchase the IT Unified Compliance Framework, which is a large hierarchical mapped listing of regulations and controls.
Identify Existing Technical Controls and Eliminate Overlaps
Once an organization has a normalized map of compliance requirements to control objectives, the work of understanding and streamlining the technical controls can begin.
Approaching compliance as a one-off fire-drill, with every regulation or mandate being addressed individually, often leads to unnecessary spending. With a mapped and normalized view of the IT requirements and controls, the organization can determine if a version of the control is already in place and if so, can it be used for the new or revised control objective? Going back to our login scenario if a mechanism for shared logins is already installed the system should be able to support individual logins. If this is the case, no new technology is required. The new technical control can be met with administrative procedures that create new, individual logins, in the existing system. Before making any solution purchases to meet a compliance mandate, be sure to check out existing solutions many companies already have all the technology they need.
In fact, a lot of companies already have too much technology - or at least redundant technology. Thats why another big win for green compliance is the ability to eliminate overlapping technical solutions. Duplication of technical controls occurs for a variety of reasons for examples, different business units or departments purchased solutions for the same business objective or perhaps solutions were inherited during mergers and acquisitions. But regardless of why the duplications occurred, set aside some time to examine how they are impacting the organization. Are they truly overlapping or are they actually serving separate functions or business objectives? If they are overlapping, its probably time to clean house.
Eliminating duplicate technology often has a clear financial cost because maintenance and support are being paid for each solution. Other areas for savings: hardware reduction, administrative staff overhead, and log and storage management.
Policies: Reusability and Going Paperless
The holistic, normalized approach can be applied to policies as well. Write policies in human language so that theyre easy to understand. Flowery language may sound important and impress the legal team, but its not useful if employees cant understand it and conduct their business and IT usage in ways that keep the organization compliant.
Rather than writing multiple policies for each and every mandate, review written policies to see where acceptable use and procedural directives can be carefully reused. Going back to the unique logins example, an organization could have a login policy for NERC systems, HIPAA systems, PCI systems, etc. But if the decision has been made to require unique logins on all systems, then the end-user employee doesnt need to know which mandate is being met. All the employee needs to see in the policy is that they have been assigned a unique login or logins and they are required to use the login(s) when accessing company systems and services. If sharing of logins isnt allowed that needs to be explained and expressly forbidden. Theres no denying that some employees know the rules and opt to flout them regardless of the compliance impact. But dont underestimate the number of users who are putting the company at the risk of being non-compliant simply because they dont understand the rules and procedures.
So normalize the policies, write them down, and make sure everyone has a chance to read them and sign off. Which brings us to a final way to green the compliance process: going paperless. There are a number of benefits to keeping policies in an online centralized repository rather than distributing them on paper. New hires can be shown corporate policies via a portal and electronically sign that theyve been read during the initial HR orientation process. Updates to the policies can be made easily and then employees can be alerted electronically (via e-mail, IM, or a corporate collaboration site) to the changes. Dont forget to have employees electronically sign off on reviews of changes and updates to policy and to keep an audit log of these changes.
Compliance mandates and regulations are now a permanent part of an IT security professionals life. To get the most out of your program, consider where it can be streamlined. Start with a normalized view of objectives and technical controls and then focus on eliminating redundancy both in the technical and in the written policy realm.
Diana Kelley is a partner at SecurityCurve and a regular contributor to eSecurityPlanet.com.
By Pam Baker
March 26, 2010
Pam Baker outlines the key questions to ask when mapping out a security policy for disaster planning.