1.2.3. Done? Why Compliance Checklists can be dangerous to your health
Let’s face it. We all love checklists. I can’t imagine going grocery shopping without one. They provide us with a system for organizing tasks, keeping a structure and reporting on accomplishments. But, when checklists are the sole foundation for implementing a regulatory compliance strategy, they may leave your organization at risk for a cyber breach. Don’t get me wrong, checklists like the SANS Top 20 are great foundations for ensuring that we’re looking at the right things. However, solely checking the box to prepare for periodic compliance audit is shortsighted. When companies fail to take a long-term strategic approach to information risk, checklists leave them vulnerable between audits and make them poorly positioned to handle future threats. This is the dreaded “compliance blind spot” that Chief Compliance Officers fear as they struggle to break out of the compliance checklist mindset.
Challenges in getting compliant
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that process payment card data. It is one of the most comprehensive “checklists” in the information security world. Yet, a recent Verizon Payment Card Industry report highlighted some interesting findings: PCI DSS Compliance is improving over time, however in 2018, only 52.5% of organizations achieved 100% compliance during interim validation. 1 This statistic highlights the inherent challenge in becoming compliant in the first place. It would not be wise to base the company’s information management strategy solely on their best effort to comply with an industry-specific set of information security standards. In terms of compliance reporting, two fifths (40%) only measure their PCI compliance annually for compliance validation purposes. Less than a quarter (19%) measure and report their PCI DSS compliance monthly.1
These best-effort approaches to compliance are not unique to the payment card industry. A healthcare survey revealed an average 47% conformance with NIST CSF controls and an average 72% compliance with the HIPAA Security Rule. 2
Why risk management trumps check-the-box compliance
A risk-based approach attempts to identify and quantify specific risk targets, thus measuring exposure of those targets. The Factor Analysis of Information Risk (FAIR) Institute provides a model for quantifying information risk in financial terms. The methodology also complements accepted cybersecurity guidelines, such as the NIST Cyber Security Framework, by providing a financial dimension to the existing technical framework.
Absolute visibility is the basis for a solid risk management program
In a joint white paper with the FAIR Institute, Forescout explored the role that device visibility plays in effective information risk management. Organizations own and encounter three types of devices:
- Those that are visible and actively managed (lowest vulnerability = lowest risk)
- Devices that are visible and not actively managed
- Those that are not visible which pose the highest risk
Unmanaged devices are more vulnerable and are more likely to be exploited by cybercriminals, who leverage them to gain a foothold in your network. The Forescout platform minimizes this risk through pervasive device visibility. When you have increased visibility of the devices on the network and are able to manage them, loss events like breaches occur less frequently.
Managing security risk starts by knowing who and what is on your corporate network and beyond the network perimeter. Without comprehensive visibility to connected devices, you will never have a complete and true asset inventory, and you will certainly not be able to track the movement of devices or virtualized/cloud workloads.
The first couple of steps to effective information risk management
In our paper, we provide you with a checklist (gasp) of a six-step approach to information risk management. We want you to read the entire paper but here’s a small preview of its recommendations:
- Select a risk analysis method that will work for your unique business environment.
The method you choose must be practical and the results defensible. The FAIR methodology is an open methodology, which was selected by The Open Group as its standard model for risk management. 3 The Open Group is a consortium of over 625 organizations that enables the achievement of business objectives through technology standards. Members include large corporations such as Oracle and IBM.
- Establish governance and accountability.
Your board of directors and executive management are in charge of strategically aligning risk management decisions with business objectives, executing the process of risk management, allocating the appropriate resources and measuring and monitoring risk management metrics to ensure goals and objectives are met. Read more about how to gain their confidence in accurate risk scoring in the Forescout and FAIR Institute white paper (link below).
1 Verizon Payment Security Report: https://enterprise.verizon.com/resources/reports/2018_payment_security_report_en_xg.pdf
2 CynergisTek Report: https://www.healthcareitnews.com/news/healthcare-organizations-lagging-behind-nist-cybersecurity-framework-hipaa-guidance
3 OpenGroup Elected Members: https://www.opengroup.org/elected-member-representatives