compliance

Archived Posts from this Category

September 13, 2011

Breaking out of compliance management (part 1)

Posted by andyitguy under compliance, risk management
Leave a Comment 

After my last post on “Risk Management or Compliance Management” Martin Fisher and I talked about it on the SFS Podcast. It gave me an opportunity to “rant” more and as usual Martin has some good insight into things. Ranting is fine for a bit but if that is all there is then why bother to blog. There needs to be some actionable items to move things forward so here are some thoughts on getting back to Risk Management and away from “pure” compliance management.

I’m going to approach this from a generic angle because it will be different for each company due to many factors. This will probably work better for the SMB market due to the complexity of large enterprises but with some creative thinking you should be able to use this as a template for them as well. So if you are a security pro in and are tired of doing compliance management instead of risk management what do you do?

First you want to make a plan and prepare a strategy. Lay out the goals for for what you want to accomplish. Who do you need to influence?  Your boss, a business leader, company leadership?

A good place to start is with a good understanding of what you currently have. Do you know your environment? Do you have an asset list of all systems (Hardware, OS, applications, services, accounts, etc)? What patches do you have installed and what software updates do you currently have? What infrastructure components are in place? What are the various connections to the outside world? Do you have Extranets? Things such as this are key to the next step.

Do a Gap analysis to determine what you need to do to get from where you are to where you need to be. After that do a risk analysis on the gap. It doesn’t have to be fancy or even follow a particular methodology just as long as you are doing a through job and not just looking at things through the blood colored glasses of a security pro. Talk to others who are in the business and can give you insight. Ask questions of others in different roles to help you understand better and be able to view the “problem” from the security angle, the business angle, the user angle, the customer angle. These things will help you when you present your recommendations because you can anticipate questions and concerns ahead of time and have answers and alternatives prepared. Plus it really adds to your credibility because they see that you are serious about this and not just spouting off.

Next you will want to look at ways to close the gap. Don’t just think technology. What process changes can be made? You will be able to answer this because you took the time to talk to others and learn from them. Are there policies in place that address this and if so do they address it fully or are there areas that need to be shored up? What about current technology that is already in place can it be used to solve some problems? Then look at “new” technology that could be implemented. Also don’t forget awareness programs and other training that can reduce the likelihood that someone in the company will make a mistake due to lack of knowledge.

Now go back and look at what you can realistically do given resources available to you. Think about time, talent, money, etc… and build a case for doing what you can, but don’t stop there. Build the case for going beyond. Why is what you can do not enough? What risks will still be there that need to be addressed? Why do they need to be addressed and explain it in a way that the business managers and others that are not security focused will understand. I love this “nugget” from Mike Rothman’s “Pragmatic CSO”, put together different presentations for Plan A, B, and C. With A being getting everything on your list, C being the minimum you can get by with and B is somewhere in between.

Once you feel that you have built your case(s) then run them by others in the company who can help you refine them so that what you present to management is first class. After that practice your presentation many, many times and make sure that you have asked the right questions (those that management will ask) and have your answers prepared.

Now it’s up to Management how they respond but at the very least if you have done this well you will build credibility so that next time they listen to you more closely and value your input.

 

May 21, 2010

Why compliance is chosen over security

Posted by awillingham under compliance, information security | Tags: , |
[4] Comments 

Kevin Beaver writes about how the business continues to choose compliance over true security even though we (the security people) know that it’s a bad idea. He makes the following comment

Those of us in infosec circles know these dangers haven’t changed but management keeps on chugging along as if it doesn’t really matter in the grand scheme of things.

Maybe it doesn’t…?

Well, I don’t think that Kevin believes that it doesn’t matter. He just seems to be at a point where he just doesn’t understand why this continues to happen.

I have a few theories that I want to share with you.

  1. Those who do understand still are not doing a good job translating the danger into a language that the business understands.
  2. We don’t understand the business enough to realize that the cost/benefit trade-off is not enough for management to buy. They would rather accept the risk, take the chance and deal with the consequences.
  3. There is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.
  4. Compliance still makes the Auditor happy and we all know that when  Audit isn’t happy nobody is happy.

There are other theories and reasons for this phenomenon and I invite you to share yours in the comments. To answer the question as to whether or not it matters I think that it does. It matters because just doing enough to get by is wrong in lots of ways.

  1. It’s putting short term benefits over long term ones.
  2. It’s telling the world that our standards aren’t really that high and that we only care about what looks good.
  3. It’s creating issues that go way beyond us and the here and now.
  4. It affects  lots of “innocent” people.

This is the kind of attitude that has gotten us into the mess that we are in with the economy, housing and even the BP Oil spill in the Gulf. It’s this type of attitude that has brought down companies such as Enron, Aurthur Anderson, MCI, and is going to bring down many more.  I’ll stop here before I get on a soap box.

 

August 13, 2009

Will the real leader please step forward

Posted by awillingham under compliance, Ethics, information security
[5] Comments 

I read with interest and an upset stomach the interview on CSOonline.com by Bill Brenner with the CEO or Heartland Payment Systems. I think the next thing that he should do is just step down, take his golden parachute and go home. I find it absolutely inexcusable and irresponsible for him to put the blame anywhere but on his and Heartlands own shoulders. The only way he could blame anyone outside of Heartland for this would be if he contracted out all of his network and security services to a 3rd party and Heartland had no oversight into it. He has a team of professionals in networking, systems, applications and security that are responsible for designing, deploying, managing and securing the environment. It’s not the responsibility of the QSA to secure the environment. Their job is to validate what they are given and told by their client. If the client gives them false information then that is what they have to work with. They can’t go through every part of the environment with a fine tooth comb and check everything.

Rich Mogul and Mike Rothman have written their responses and thoughts on this. I’d recommend that you read their thoughts because they have some good things to say that I’m not going to repeat. What I do want to focus on is the lack of responsibility that Heartland is apparently accepting in this. If they can’t own up their own mistakes then how can we trust them with our credit card info. If we can’t trust them to be responsible in this then how can we trust them to be responsible in any other way. Not only that but he is sending the message to his teams who are responsible for his network that they don’t really have to concern themselves with doing things right because he will just “pass the buck”.

Apparently they haven’t learned anything from either other companies who have had major issues (Enron, Johnson and Johnson, TJX, MCI, etc) who have responded in both in the right and wrong way. They seem to think that they can just sweep this under the rug and that it will go away. Robert Carr is going to add his name to a long list of the disgraced if he isn’t careful. He may come out of it with a pile of cash but he will have lost something much more important, his integrity. He needs to step back VERY quickly and change his tune and take the responsibility that is rightly his.

We’re seeing this more and more. People at all levels lying, cheating, and pushing responsibility off to others. Recently there was a poll where companies (or their representatives) purposefully gave Auditors misleading information so that they would look better than they really were. There have been surveys taken where security professionals admit to taking data from their employers that they weren’t supposed to have. There have been incidents where IT and Security Pros have planted virus and logic bombs, reset passwords, deleted databases, etc….. It’s really shameful and sad.

Recently one of the email lists that I’m a member of had a discussion regarding a small company that had some problems with a project that didn’t go as planned. The boss wanted to fire the guy that he saw as being responsible for the problem instead of taking responsibility himself for problems that he clearly should have been on top of.   I once worked for a company where Management did all they could to pass decision responsibility on to someone else “just in case” it went wrong. The standard answer was “What is your recommendation?” or if asked as direct question in email they would avoid replying so that there wouldn’t be a written record of their decision.

So what do we do about this? Unfortunately there isn’t much we can do about someone else who refuses to take responsibility except to remove ourselves from any association with them. What we have to do is take responsibility for the actions of ourselves and the teams that we lead. Then hopefully others will see how in the long run it really does pay off and then they will follow our example.

 

December 11, 2008

Is that MY data?

Posted by awillingham under Andy ITGuy, compliance, data security, information security
Leave a Comment 

Disclosure: I attended a half day seminar on e-discovery where this story was told by Randy Kahn of Kahn Consulting. It got me to thinking and some of this is reflective of some of his talk.

In early Sept 2008 United Airlines stock fell by as much as 75% because of a 6 year old article that found it’s way onto Google. The article had no date attached to it and was accidentally re-posted to a newspapers web site. Over the weekend the article started turning up in searches about United Airlines. As investors and automatic investment software saw the article they started to panic and sell shares of United stock and caused the price to fall drastically. Luckily people actually started researching the information and discovered that it was old news and not relevant to present time. Fortunately the stock did rebound and regained most of the loss.

How did this happen? I can’t say for sure but it sounds like someone wasn’t managing their data very well. How does well managed data get mishandled like that? Obviously there is a legitimate business case for keeping old stories like this around. They are useful for research and such, but the data could have been tagged in such a way to keep something such as this from happening. It could have had restrictions placed on the way it could be used. The problem with this is that it requires technologies to make this stuff happen that unfortunately are not used by many companies. This makes data management and security a nightmare for many. 

Unfortunately I don’t have a low cost, easy to implement answer to this problem but it is something that needs to be addressed in your company. We all know that we can’t secure what we don’t know about. We can’t secure the data if we don’t know where it is, who is accessing it and what they are doing with it. Data has been taken too lightly for too long. It’s been treated like it doesn’t matter and that it’s impervious to loss, misuse or any other bad thing. Sure we play the game and put in firewalls to keep bad guys out and put in a few other things inside the network and on host systems to make us all feel a little better but we aren’t managing the data itself. We aren’t teaching the DBA’s, Server Admins, End Users and anyone else that it is important that it not be tossed around like a rag doll. We’re not building the case to Upper Management that having policy with teeth is critical to keeping us safe.

We write policies and set them in their little corner to be pulled out when the auditor asks for them or when someone does something bad, but other than that we pretty much ignore them. We don’t train our users on what they say and why they say it, we don’t teach them how to follow them. We don’t work with the business units to ensure that the policies are even effective and enforceable. We don’t meet with legal, compliance and other groups to see how the policy fits into law and regulations. We don’t look at how a change to one policy affects other policies and makes them more or less effective and enforceable.

I know that I’m making a wide sweeping statement with much of this and that this isn’t the case for all companies. The problem is that it occurs in way too many places because companies and people are just playing the game. They aren’t taking their compliance and security programs seriously. They want to check their box and move on. They aren’t thinking outside the box and looking at things from a holistic perspective. In today’s world where data is king we can’t play games. We can’t do "just enough". We can’t keep thinking that security is a nuisance that we have to live with. Management has to take the lead and hire and equip the right people with the right tools and training. They have to take security seriously and they have to realize that there has to be consequences for what happens to data and the consequences have to fall on the right people and it has to have some pain associated with it or nothing will really change.

 

April 11, 2008

Information Security According to Me

Posted by awillingham under Andy ITGuy, compliance, GRC - Governance, information security, Risk
Leave a Comment 

I love technology. There isn’t much that is more exciting than to get a new "toy" to play with and use to make your job easier and hopefully more secure. I think it’s pretty cool how a piece of software can alert you to threats to your system, prevent you from doing things that you shouldn’t do and keep your system from doing things without your knowledge. I really like the concept of having some devices on the network that can watch the traffic flowing through the network and make assumptions and/or decisions based upon rules, algorithms, and other things over my head and either drop, divert or allow the traffic to continue. Often these things can shut down ports (logical and physical), pass ACL’s to devices and do other things to stop worms, virus’ and other bad things in their tracks.

The problem with technology is that it often gets misconfigured, deployed improperly, or just isn’t the right fit for what you are trying to do. Even if non of this happens it can still be left to it’s own and cause problems. It has to be monitored, updated, tweaked and cared for on a regular basis. Not only that but in the case of shutting down ports and pushing ACL’s automatically I would hope that you don’t really want or allow that to happen on your network. Talk about taking a risk. Technology is cool and it is necessary but it has to be used in the right way for your situation. You can’t let the vendors drive your strategy. Use them to learn about your options but what ever you do DON’T let them sell you what they want to sell you. Take your time, review your options, look at the pros and cons of each solution and find the one that fits your need and one that will fit in with your strategy and plans for the future.

As much as I like technology I still feel that it falls far short of the mark of keeping us secure. It goes much deeper than that. It requires a good solid framework that includes policy, process, procedures, guidelines, user awareness training, security training for IT staff. I like the new buzz acronym of GRC. Governance, Risk and Compliance. I think that it does a pretty good job of summing up what a solid program consists of. If a company doesn’t allow for IT Governance to play a part in the way it does business then they are missing out on opportunities to make the best technology and policy decisions. These decisions are partly based upon the risk that is involved in doing various activities to enhance business. They are based upon the framework that is (or should be) in place for how technology is used to enable business. They take into consideration the goals and objectives of the company, the projects the the LOB’s have, the way the IT infrastructure is designed, and making best use of what is already in place.

GRC is not perfect but when implemented correctly and supported from the top down it will make things run smoother and allow for business to function in a manner that balances security, productivity, usability and makes best use of company resources.

 

January 11, 2008

Is Your Information Security Program Real or Only a Check box?

Posted by awillingham under Andy ITGuy, compliance, information security, Security Programs
Leave a Comment 

We all know that in order for a Information Security Program to really be successful it has to have support starting at the top. The IT manager can’t decide that a program is needed and start implementing it and expect it to really succeed. That doesn’t mean that it won’t succeed but the IT manager will have to do a lot of leg work to make it happen.

Often a company will be informed by their Internal Audit Team that they need to have an "official" Information Security Program in order to achieve compliance w/ Regulations X,Y and Z or to continue to pass external audits. Then they will start the process of finding and hiring a Security Officer and hopefully some staff.

This is all good and well but is it effective? An audit or regulatory initiated program does not guarantee management support. So the program is still going to face a huge uphill battle to succeed. If the program does not have the support from the CEO and if that support does not cascade down to the levels below then it doesn’t matter that they have a program in place it will be severely hampered. To further make things more difficult the information security team will be aware of the lack of support and it will affect their attitude and therefore their performance.

A good Information Security Officer will work tirelessly to get the needed support of the CEO and the rest of the C-Level Management team. It’s not easy to do sometimes and it surely isn’t a quick process. You have to start out with doing what you can and then build your case. You have to show the benefit of what has been done and what can be done.

There are a couple of things that are troubling to some Information Security Officers. Things that can severely hamper their ability to win the needed support. The first is when the C-Level team is practically unreachable. When they are too busy to be bothered by lower level staff. When they feel that other things more important than hearing about the need for information security.

The obvious thing to do next would be to start with members of management teams that do have the ear of the C-Level team. Of course that means that you have to have the support of that level of management and often time that is also missing. This can happen in companies that have been around for a while and that have management that is from the "old school". They have the mind set that says "We don’t need no stinkin’ information security program". Information Security is new and it is the "hot" things right now and therefore it can be threatening to the "old guard". They see it as being something that they got along without for years and now it has been forced on them. So what’s next will it become more important than their teams and take away some of their prestige, power and pull with upper management?

These are some pretty big hurdles to overcome in lots of companies. They can frustrate security teams and have to be overcome. So what is the answer? First, the Information Security Management has to keep a positive attitude around the rest of the staff. They have to be diligent in building their case and getting it in front of those that matter. Start small and gain the allies that you can. Use them to gain more allies until you have what you need to present your case. During this phase you have to do two other things. 1) You have to be building your C-Level case so that it is rock solid when you present it. 2) You have to do what you can to secure the environment and get the program going. You man not be able to do all that you want but do what you can.

Keep on keepin’ on and success should soon follow.

 

November 18, 2007

Compliance and Audits

Posted by awillingham under Andy ITGuy, audits, compliance, information security
[2] Comments 

I just finished reading a post by Rebecca Herold on something that most of us don’t think about or even realize can be an issue. It’s a compliance related issue that I wasn’t aware of and I spent 3 1/2 years working for a company where 95% of the employees had to fill out I-9′s. Not only that but 99% or our customers were also not citizens of the USA. Still this was something that I never thought about and the company never brought up as something that I needed to be aware of. That makes me wonder what else am I not aware of? What other regulations are there out there that I, as the Information Security Officer, need to be aware of? I thought I was doing a pretty good job of keeping up with the various regulations but this one slipped under the radar. I hope that there aren’t others, at least not too many others.

Keeping up with these things can be a full time job and if you don’t have a legal department or an HR department that is on the ball then you had better be. I remember back in 2002 or 2003 when I first really became interested in compliance related issues. It was when HIPAA was approaching a big deadline for providers. I was tasked with becoming the HIPAA expert for the consulting firm that I worked for. At that time I decided that I would try to keep up with all appropriate regulations that affected the company that I worked for and any that may prove helpful (the knowledge of not the regulations themselves since we know that most are not helpful in the least bit) in the future.

I recommend reading Rebecca’s post (and her blog). It is full of good and useful information.

Another good post I ran across today was from the Security Monkey (he looks really familiar). In it he gives some really good information on how to handle yourself during an audit. If you have never been through an audit, or been an active participant in on, then you may not realize how important an audit is. Not only that but how important it is that you conduct yourself in a proper manner. I have been lucky (OK, so I’m not being totally honest) to have been through several audits. At first they scared me to death. I was afraid of saying the wrong thing and so was my boss. I was lucky in that I received some good advice on how to handle myself early on and it paid off. That doesn’t mean that I lied or hid the truth, I just learned to answer the questions that were asked and not the ones that I thought were asked. I recommend reading this post if you are required to participate in audits. It may well safe your tushie. :)

 

July 7, 2007

Writing Policies

Posted by awillingham under Andy ITGuy, compliance, information security, security policy, Trusted Toolkit Blog
Leave a Comment 

Information Security involves many different disciplines. Some are technical, some are administrative, some are managerial. A good security professional will gain and retain skills in all of these areas as he/she moves through their career. I’ve spent most of my career on the technical side of things with some administrative and managerial thrown in. My new job has me focused primarily on working with policy at this time. I’ve been updating old policies, writing new policies and looking into just how PCI is going to affect us and what we have to do in terms of policy and technology to ensure that we are compliant. This is not an easy process, especially when you are new to a company. I still am learning how various parts of the network connect and interact with other parts. I’m still learning what it is that Management wants and what we have the technology and infrastructure to support. Then there is the decisions that were made just prior to my starting with the company. Some of them were done because it fits well with the direction that the company is heading and some of theme were made because it allowed us to put a check mark in a compliance box. If you have been reading my blog for very long you know how I feel about that.

Anyway, I digress. My point in this post is to talk about policy and how to write an effective one for your company. Of course I’m not the expert on this and I don’t have all the answers and am still learning much. Much to my delight I ran across a site the other day that does a much better job than I can do. The site is The Trusted Toolkit Blog. They have declared July to be “Policy Month” and they are writing about how to create a security policy and even giving sample policies for you to download. I recommend that you keep you eye on this site this month because even if you never have to write a policy it will benefit you to have an understanding of how a policy is written and the steps involved in creating one. Not to mention that the focus on learning some “soft skills” will benefit you in the long run.

 

June 21, 2007

Why do security?

Posted by awillingham under Andy ITGuy, audits, compliance, information security
[3] Comments 

I’ve got mixed feelings regarding compliance. On one hand I like it because it is forcing many companies to do things that they wouldn’t normally do to better secure their network. On the other hand too many companies are only doing what they have to do to pass their compliance
audit. They are checking the boxes on their compliance checklist and missing a hole somewhere because that area isn’t on the compliance “watch list”. They may be making the auditors happy for now but what about next year when they come back? What about next week when the bad guys find your vulnerability? After that happens you are going to then be forced to take action to fix the problem. Only it may be more expensive and difficult to fix than if you had done it when it should have been done. Not to mention the clean up costs.

Compliance is not the reason to secure. You secure because what you have on your network is worth something to your business. You secure because a breach will hurt your business and possibly destroy it. You comply because you have data that is valuable to other people. Things such as customer and employee data, credit card numbers, social security numbers, etc… All of these things are “protected” by your compliance checklist, but if a hacker gets into your network through some venue that is not on the checklist it doesn’t really matter what is checked and what isn’t.

When considering security for your network you have to look past compliance and look at the “real” picture not the one painted by GLBA, SOX, HIPAA, PCI or any of the others. Listen to your IT Security staff (or those who have a clue), listen to consultants, VAR’s, Vendors etc… Don’t just cast them off as either trying to get all the cool toys to play with or trying to sell you more than you need. Yes, those things happen, but you should at least consider what they have to say and look at it with an eye towards gaining knowledge on what will really make you secure.
Too often companies look at the bottom dollar and what will fill the check boxes. The only problem is that the check boxes keep increasing in number and the bottom dollar can’t been seen because of hidden costs that you can’t know about.

 

March 13, 2007

Heed Good Advice

Posted by awillingham under Andy ITGuy, compliance, information security
Leave a Comment 

In Security advice is cheap and easy to come by. Often it is VERY slanted. Slant can be affected by many things. When talking to the guys in the trenches the slant comes from using the products and how they deem that they protect or don’t protect their systems. Sometimes it comes from bias based on what they know and feel comfortable with. Other times the bias comes from vendors who are pushing their products.

I ran across an article this morning that offers some good advice for security professionals. “Have You Read Your Regulations?” by Roger Grimes talks about the importance of reading the various regulations that your company is subject to. Often knowing what is and isn’t expected and acceptable is the difference between being compliant or out of compliance. Now don’t start thinking that I’m pushing compliance as a means to security. I firmly believe in the adage “Compliance rarely leads to good security but good security almost always leads to compliance”. You can have great security in place and be in compliance but make a small mistake that is out of compliance. That is why it’s important for those who practice and manage security to be well versed on what is required and expected. Management looks to us when needing a solution to a problem. If they need to send data to a customer or business partner they come to you to find out the best way to do so. Often they come with a preconceived idea of how they will do it and they want to know if it is “in compliance” with the various regulations. When you know answer not only does it keep the company secure and compliant, but it also looks good to management. They know that you are the guy (or girl) that they can trust to keep them out of trouble.

Regulations can be boring and often are difficult to understand but it will serve you well to read and understand them.

 

Next Page »

Follow

Get every new post delivered to your Inbox.