Ace Security Audits: Focus On Your SME’s Overarching Security Policy

By Curt Harler.

Read the original article in Processor

If you thought you were through with exams after you finished college, you were wrong, as the need to ace security compliance exams rests heavily on IT.

Any enterprise that deals with PCI DSS, HIPAA, GLBA (Gramm-Leach-Bliley Act), or Sarbox gets uptight when it comes time to prove compliance. Some audits—such as PCI’s 12-point list—are quite specific in their requirements, while others, such as HIPAA, simply mandate compliance. Some audits are formal. Others are self-assessments with quarterly scans. With so much to keep track of, the question remains: What is the best strategy to achieve success?

“Look at this as a project,” says Dan Sarel, vice president of products at Sentrigo “The project should not be focused on passing an audit once but rather on making sure that you are compliant to the greatest extent possible given your resources—then you will be ready to pass an audit any time.”

“If you are secure, compliance comes as a byproduct,” says Bob Russo, general manager of the PCI Security Standards Council. “It’s not too difficult to become compliant. But security is a different question.”

Just as some students study for the test rather than focus on the long-term goal of learning, SMEs can get too hung up on passing audits without looking at overall security. Although he thinks that satisfying audits is a good shortterm focus, Patrick Townsend, CTO of Patrick Townsend Security Solutions echoes Russo’s security focus. “Make these things work together,” he says. “Don’t skip the hard things. Data encryption may be hard, but when data escapes into the wild, you can render that data useless by encrypting the data.”

When it comes to security, Allan Thompson, executive vice president of operations at Dataguise says, “The most important general advice is to understand the systems and data under the enterprise’s control and to implement the principle of ‘least privilege’ wherever possible in limiting access to sensitive information inside and outside the organization.”

Compliance Concerns

Townsend offers three key pieces of advice for making compliance successful. First, do your homework before acquiring technology. “If you need to protect private data, know where it lives and how it is used before starting remediation. It’s a bad feeling to spend time encrypting a Social Security number in a table and then learning that no one needed it in that table anyway. Work from the business process down,” he says.

Second, select mainstream solutions from vendors with a record of success and a commitment to standards and certification. “Pay for solutions [that are] based on recognized standards and which are NIST-certified,” he says.

Finally, small to midsized enterprises have to accept the fact that best-of-breed products will come from a variety of vendors, he says. “Ignore vendor claims that they can solve all of your compliance needs. No one vendor can do this,” he advises.

However, Sarel notes that you should never customize if there is off-the-shelf technology that will do the work for you. “The long-term cost of supporting the customization is much higher than bringing in a product and transferring the responsibility for support and updates to an established vendor.”

You should also get some help, if you think you’ll need it. Townsend recommends finding a good security auditor to advise a firm on best security practices, and a good way to find one is through recommendations. “In IT, we tend to look for tools, but I think the most important thing you can do is find a consultant or mentor who has been through it before. Everyone I know that has deployed automated tools has been disappointed with the result. Nothing substitutes for experience.”

Sarel agrees. “It is better to do this before you start the project so you do not end up following a wrong path,” he says. Even if it makes sense later to bring it in-house, he says that a second set of eyes can be helpful to defend processes with auditors.

Finally, keep in mind that audit projects can get expensive. “You can save by clearly defining the scope and leaving out of your audit project anything that is not in-scope,” he says. “Sometimes this means creating new segments in your network, changing server locations. While difficult, this many times proves to be the best strategy.”

And no matter how good your initial program is, you will find holes, Townsend says. “The question is, what process will you use to deal with them?”

Who Is In Charge?

Some in the industry question whether IT is really the place that responsibility for meeting audit requirements should reside. “Unfortunately,” Sarel says, “most standards are vague about what needs to be done by IT. An exception is PCI, [which] clearly specifies what is expected on the IT level.”

Townsend says that IT should share responsibility with human resources and the CEO’s office, but it is up to IT to educate management and users about their responsibilities for protecting that information. “Ultimately, responsibility for making sure that sensitive data is safeguarded lies with the business owners of the applications or data,” he says.

“No one can ignore the responsibility for security and compliance. There has to be buy-in on this concept from the board of directors and the CEO down to the shipping dock,” he adds.

“Security has to be baked into the DNA of the company,” Russo adds. “It’s a shared responsibility and has to come from the top down. There are no alien concepts in audits or security. It is all common sense.”