The security compliance landscape is complex and bogged down in administration, with many companies struggling to satisfy the letter of many regulations instead of using them as tools to better secure the enterprise. It’s a case of not being able to see the forest as there are so many trees in the way.
How many trees? The alphabet soup of regulations and standards includes HIPAA, Sarbanes Oxley, GLBA, various NIST standards and PCI. Beyond them, security standards firms must satisfy a host of other rules. This guide takes a look at how enterprises can better manage the onerous task of compliance and includes a brief look at some of the tools.
The primary challenges associated with security compliance include risk management, reporting, data protection, audit response, breach mitigation and incident response, said Chip Epps, principal product marketing manager at Symantec. "New platforms and service practices, such as virtualization, the cloud, SaaS and legacy infrastructures, from physical infrastructures to end-of-support operating systems, also pose security compliance challenges."
Compliance Best Practices
Paul Trulove, vice president of Product Management at SailPoint, said successful compliance projects share common best practices such as investing in educating and gaining support from business users. Some of the recommended practices:
- Communicate changes and requirements via company portals and email newsletters.
- Set clear expectations and provide training opportunities like Web-based training videos.
- Promote and market successes to the organization following completion of project milestones.
- Provide visibility into how business units met their compliance goals.
- Share metrics that show how easy it could be to do what is right.
Another key, Trulove said, is dividing up projects into manageable phases that can be completed quickly to obtain quick wins and boost motivation. "When half the battle is changing behavior and getting business users to pay attention to matters beyond their day jobs, it’s important to motivate participation," he said.
Epps believes that users should move away from point products that cover one facet of the security compliance landscape to those that consider the whole picture, from physical to virtual to data center to endpoint.
"Organizations that find the right mix of manual processes and automated tools can make great strides in managing compliance," said Epps. "Look for technologies, processes and policies that can be extrapolated across the organization to build a cohesive, organic information security governance structure."
Centralization, Standardization Keys to Compliance
Double and triple work is another area which haunts compliance efforts. As new standards are released and as yet more legislation is added to the pile in response to the latest wave of data breaches, companies tend to add staff or even entire departments to address each additional compliance workload. This approach breeds inefficiency.
"The average large organization often has to comply with multiple external and internal standards, which heavily overlap," said Joe Goldberg, security and compliance evangelist, Splunk. "Organizations often use point tools and processes for each of these standards, which leads to inefficiencies since multiple compliance tools are being used to measure the same basic technical controls. This leads to high software and support costs and organizations must spend extra time training compliance teams on multiple point products."
Goldberg recommends putting all security and compliance-relevant data and log files into a single, centralized platform. That is the starting point to moving out of the one-tool-per- regulation trap, he said.
KPMG's Managing Director of Information Protection Gavin Mead concurs. He advises organizations to develop a standard control framework from which new regulations can be mapped quickly to existing enterprise practices. This unified compliance approach enables companies to test a control once, but report against many different standards.
Derek Hitchman, vice president of Implementation and Support, GRC On-Demand, tasks IT to look beyond mere compliance by seeking tools that assist organizations to implement the best practices which are called for in the standards. After this is done, he said, compliance is easy.
"Compliance software is often looked at as a silver bullet which will magically solve the compliance problem," Hitchman said. "Without the right implementation methodology and reporting features, this is not always the case. A good compliance system will generally allow a company to comply with many standards, not just one."
Guidance on Compliance Tools
There are an abundance of tools available that help users comply with one or more regulations or standards. Symantec’s current security compliance tools include Control Compliance Suite (CCS) Standards Manager, which automates the assessment of technical controls and security configuration standards. Pricing is typically done by server ($1,408 per server).
The company offers a few other tools. Symantec CCS Vendor Risk Manager automates tasks associated with vendor risk management. Pricing per 10 managed vendors is $153,600, plus $510 for each additional vendor. Symantec CCS Virtualization Security Manager isolates compliance-relevant virtual assets, limits access to and from them, and dictates where and if they move. Pricing is per virtual host CPU, $1,920 per CPU.
Hitchman said that governance, risk and compliance (GRC) tools such as GRC On-Demand allow a company to implement requirements rapidly by documenting what is currently in place and kick-starting the process to full compliance.
"Because the system is built around best practices and includes a defined pathway to assist in quick compliance, organizations are able to comply quickly and do it correctly," he said.
KnowBe4 Compliance Manager KCM is a software-as-a-service (SaaS) platform for consolidating audit management and regulatory compliance, focused on IT. Brian Jack, director of Security Research, KnowBe4, said the product was created from customer feedback on compliance headaches. It contains automated workflows which prevent overlap and eliminate gaps. This is achieved by using the NIST standard as the central core and mapping all other regulations and standards to it.
"KCM tracks security compliance and other non-IT compliance areas such as OSHA, quality control, vendor management and fraud," Jack said.
For those in the healthcare field, there are tools such as ComplyTrack and ComplyAssistant. Other verticals have similar software aimed at specific regulations. Sumo Logic Application for PCI Compliance is one example. Further, there are a number of solutions addressing the broader field of governance, regulation and control (GRC) such as EMC RSA Archer, BWise and Enablion.
Additionally, there are technologies which supplement compliance efforts. Trulove pointed to identity and access management (IAM) as a means of being able to manage all the resources that people use, whether those resources are on-premises or in the cloud. Nicko van Someren, CTO at Good Technology, stressed keeping sensitive data separate and encrypted. Separating the data allows for access control to the data and encrypting it provides strength to that separation and a degree of safe harbor in case data is lost.
Some tools only provide a self-assessment questionnaire that can be taken multiple times throughout the year to obtain a compliance score. These types of tools generally fall short. Others can be overly complicated to set up and manage. Ideally, try them out before you buy. Or at least implement a small test project before attempting to roll them out across an enterprise.
Drew Robb is a freelance writer specializing in technology and engineering. Currently living in Florida, he is originally from Scotland, where he received a degree in geology and geography from the University of Strathclyde. He is the author of Server Disk Management in a Windows Environment (CRC Press).