Along with death and taxes, security compliance programs are becoming one of the unavoidable facts of life for many of us. That means someone has to create a compliance program so you can monitor and put appropriate controls in place around information security.
The trouble is, while many people see such a program as important, they don’t want to commit too many, if any, resources to a program. Ashley Deuble of Caterpillar was faced with this challenge. He told the audience at AusCERT 2015 about how he created a compliance program on a tight budget.
"A tight budget really means you’ve got nothing, start using Excel”. The first question you need to answer, according to Deuble, is why you think you need a compliance or assessment program.
“Our companies spend lots and lots of money creating wonderful policies, standards, guidelines, technical controls and all this wonderful stuff to protect our data, protect what’s nearest and dearest to us. At the end of that we don’t even know if our business are actually reading these policies or reading these security documents”.
This is the driver for putting a compliance program in place as those documents put operational and regulatory obligations on the business. Putting an ongoing program in place also means there’s ongoing assessment so the business better understands its posture over time.
Deuble’s process was not complex but it resulted in far better visibility of the challenges around compliance. By placing a monitoring and reporting structure around security compliance, he was able to document obligations, assign them to appropriate stakeholders and get them to take responsibility.
One of the challenges all compliance regimes need to address is partial compliance. If compliance with a particular obligation is subject to several criteria is compliance only achieved when all the criteria is met or is there some “sliding scale” of compliance.
Ultimately, Deuble chose to implement a binary scale. However, he emphasised the importance of maintaining complete documentation. For example, if a particular compliance control required a particular item to be subject to automated checking but was regularly checked manually, it was important to note both the non-compliance and how the item was being checked manually along with evidence of the checking.
There are several different options for assessment. Deuble suggested on-site reviews with security staff, remote interviews, onsite personnel working on behalf of security staff and employee self-surveys were all reasonable approaches for different controls that were being monitored.
It was also important to assign the risks in bite-sized chunks. If to many different issues are wrapped into a single risk then it may be hard to get some one to take ownership.
When reporting out to the business and senior management about the results of the compliance assessment Deuble recommends using formats that are already familiar to the business rather than creating something completely new. By including an executive summary, issues overview, detailed issues, recommendations and document control it’s possible to address the needs of most of the business without hitting them with something unfamiliar.
Deuble also emphasised the importance of reviewing reports thoroughly before distributing them. That means reading them and putting them out for peer review before wide distribution. It’s also critical to get explicit management approval for any reports that are sent out to clients.
All compliance reporting data should be encrypted when stored and in flight. That not only covers reported and any data used in the report onsite but having appropriate encryption procedures in place for data received from external partners and clients. This data should be stored in a single, safe repository.
This article is brought to you by Enex TestLab, content directors for CSO Australia.