Seven Mistakes That Make Compliance Efforts Fail

  /     /     /  
Publicated : 22/11/2024   Category : security


Seven Mistakes That Make Compliance Efforts Fail


The most common mistakes that can lead to flagged audits



Complying with security mandates is rarely easy. But most organizations make it even harder than necessary by failing to learn from the mistakes of others when developing their compliance programs.
For as much time and effort is spent at most enterprise and government organizations in complying with regulatory and standards body mandates, an awful lot of security firms cant seem to get compliance right. A study earlier this year showed that half of organizations have failed an audit, and 75 percent were not sure theyd pass their audits in the future.
According to most security and compliance experts, so many organizations fail because theyre making the same mistakes time and time again. The following are some of the most frequent blunders made:
1. Managers Dont Think Like Auditors
Over the years, IT auditing veteran Glenn Gibson has seen far too many mid- to upper-level IT executives botch compliance efforts because they dont truly understand the regulations or standards theyre availing themselves to. He believes that many organizations cant satisfy auditors demands because they dont have managers in place that can see their objectives with an auditors eye.
He says that some of the most successful organizations in both compliance and security have policies that promote auditors from within.
Ive seen some companies where when youre hired as an auditor, youre only going to be one for two or three years and after that youre going to be moved into management, says Gibson, principal of security firm Zander Edward. I think that is a very good way to do business if youre going to compensate those people well enough to stay, so they dont take that management and audit skill set and leave.
2. Resources Dont Match The Requirements
In government, the dreaded unfunded mandate is one of the biggest reasons why agencies cant comply with rules both in and out of IT. The fact is that compliance efforts take manpower and technology to work. And both require resources.
The money has to be there, says Gibson.
It isnt just a question of budgeting, but also of allocating the right staff to the efforts.
Companies assign security duties to those least likely to fulfill them well: junior employees without security training or experience, says Bill Horne, owner of security consulting firm William Warren Consulting, Usually it is part of the when you have time lists given to apprentice system administrators who are most likely to bypass security restrictions when a senior employee asks them for a favor.
3. Organizations Ignore Human Nature
Theres a huge human nature element to compliance mandates, says Jeff Nigriny, CEO of CertiPath, an identity and credential certification organization specializing in government compliance. He believes that many organizations fail to comply when users arent accounted for. End users must be properly trained, and they need to be apprised of the consequences of not following compliance policies.
The stick used to enforce compliance from end users doesnt necessarily always have to be as extreme as termination, either. Sometimes a humorous dose of embarrassment can work, too. When Nigriny was the CSO at an aerospace defense contractor, he had a bit of instructive fun with users who didnt follow company policy to lock unattended PCs. When he walked company halls and saw unlocked computers, hed sit down and write emails on the users behalf.
I tried to make them funny. We had a manager that had a large team, and I told his entire team that he wasnt able to use all his vacation time for the year and the first people that got to HR to ask for it could use his remaining vacation time as paid time off, he says. There was a huge line at HR and he figured out what happened shortly thereafter.
NEXT: Four more blunders. 4. Efforts Arent Future-Proofed
According to Ben Wright, a SANS Institute instructor and attorney specializing in IT compliance and security law, the organizations that dont write policies with flexible enough language to account for business and technology changes are setting themselves up for failure.
Policies are written to require methods or technologies that will not make sense in all circumstances as time goes by. Any organization is constantly changing. After a policy is written, the organizations capabilities can change on account of things like merger, downsizing, or bankruptcy, Wright says. A policy setting many hard requirements may not always be followed, possibly for very good economic or operation reasons.
In general, organizations have to work to not only future-proof internal policy documents, but also to align current security practices with sometimes outdated regulations.
Most compliance requirements are a decade old and do not reflect the current work environment. One of the best examples would be PCI -- the world has gone virtual and only this past year did we see any meaningful guidance from PCI regarding virtualization, says Paul Henry, security and forensic analyst for endpoint security firm Lumension. Organizations need to work closely with auditors to validate that within their environment using current generation technologies that the compliance mandates are being met.
5. Compliance Is Isolated To IT
While the buck stops at ITs doorstep when it comes to carrying out compliance objectives, many organizations fail because line-of-business executives and the legal department arent looped into the process.
You need buy-in across the board for a workable compliance effort, Henry says. Each stakeholder will have different views of compliance; bringing everyone to the table to create the vision of compliance as providing better vision in to business processes can actually reduce security risks while improving traditional business processes and reducing legal exposure is a key element to success.
6. Businesses Bite Off More Than They Can Chew
While there are certainly plenty of compliance mandates piled onto organizations involuntarily -- PCI, SOX, and HIPAA come to mind -- many organizations bring more unnecessary compliance work upon themselves before theyre ready.
Before enterprises embark on the road to complying with something like SAS 70, Cobi,t or ISO standards, they need to be sure theyre ready for the process and that the objective really is necessary and aligns with business objectives.
I think the biggest mistake is biting off more than the organization can chew, says Michael Figueroa, senior vice president at security consulting firm InfusionPoints. A lot of organizations hear the buzzwords and say, We should be SAS 70 compliant, or, We need to be ISO certified, without really understand what it means to do that. Then they either end up trying to do everything they can to get that piece of paper without actually following the policies they say they will, or they get overwhelmed and try to hide things from the auditors so they can get that piece of paper.
7. Policies Arent Tied To Assessment Or Automation
When organizations write compliance policies that cant be properly assessed, theres no way to measure or prove theyre being followed.
If you cannot observe its state over time, it’s impact on your security is minimal and should not be part of your governance program, says Tim TK Keanini, CTO of security and compliance auditing firm nCircle.
Similarly, organizations tend to fall down on compliance when they do everything manually.
Automation has to be applied to as many security processes as possible because it is the only way to get a comprehensive handle on the rapid changes in the threat environment, says Keanini, who suggests organizations review quarterly those processes that cant be automated in case new technology comes on the market to change the game. New or more affordable technology may be available to help do things that were previously impossible.”
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Seven Mistakes That Make Compliance Efforts Fail