Looking for tips on how to ace your next regulatory audit?
The Compliance Security Council, made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, has been tracking what's working and what's not, says James Hurley, executive director of research for the Security Compliance Council and a director of research at Symantec.
The council, which will be renamed the IT Policy Compliance Group this fall, has gathered compliance benchmarks and anecdotal data from interviews over the past few months in a survey of over 1,000 organizations that have been through audits. Among its recent findings:
- In the past year, about 85 percent of the organizations have been through one regulatory audit; 60 percent have been through two or more; and 80 percent, three or more.
- 10 percent are having less than three IT compliance deficiencies (including security) a year; 20 percent, more than 15; and 70 percent, three- to 15 per year.
- The biggest reasons for failing an audit: inadequate access control for applications and application servers, and inadequate documentation.
- Organizations with the worst audit results only did internal audits once a year, and those with the best did them an average of every 21 days.
- Whether their audit was successful or not, organizations didn't add any IT labor to their staffing.
Next on the list of failures is improper user training and accountability in organizations, he says.
Does security spending affect your regulatory compliance success? Yes and no, according to the council's findings. Spending on IT security wasn't drastically different between organizations with the best audit results and those with the worst. The successful ones spent over 10 percent on security, and those with failures, six percent or less, Hurley says.
Those with the best compliance records put more money into security equipment and software, however, he says. Those with poor audits are spending 43 percent of their IT budget on security equipment and software for IT compliance and those with successful audits, 52 percent. "They are taking money out of labor and putting it into automating the processes" such as measurement and monitoring IT compliance across the board, Hurley says.
"Organizations that go the route of automating the processes to baseline their environment and keep up with change management, fixing things on a more rapid basis, are having the least problems and getting through their audits faster," Hurley says.
To survive an IT compliance audit, Hurley says, you need to run baseline testing and monitoring of security and other implementations regularly. "The organizations [surveyed] doing continuous monitoring had the least number of audit deficiencies."
Meanwhile, security firms that perform vulnerability assessments and penetration testing say regulatory compliance is driving much of their business today. Organizations want to see where they stand with their compliance. Steve Stasiukonis, vice president and founder of Secure Network Technologies, says regulatory compliance pressures from SOX and HIPAA, for instance, are one of the main reasons his clients hire him. "I've got a couple of larger clients that call us and use all our network data and apply it to their SOX compliance" for auditors, Stasiukonis says.
They also get a bird's eye view of compliance problems. "We see a lot of misconfigurations," says Sean Kelly, business technology consultant for Consilium1, which performs vulnerability assessments and pen tests.
Kelly says many firms think they are complying, but upon closer inspection, they haven't really hit the mark. One healthcare firm Consilium1 worked with, for example, was shredding documents in what it called a "secure" room, but one of the doors was always left unlocked, as well as one of the bins that housed the documents, Kelly says.
But HIPAA may suffer from the most apathy since there's really no proactive auditing performed by Health and Human Services. "Some of these organizations lose their focus on it and aren't following through with it as much," Kelly says. "And some have pooh-poohed it and not done anything," such as smaller doctors' offices and radiology groups, he says.
The problem is that no one's policing HIPAA. "The majority of healthcare organizations that SecureWorks initially speaks with are not following the HIPAA requirements in a meaningful way," Petersen says. "We believe this is because there is a lack of regulatory agency oversight. The healthcare organizations that have been successful have taken a security approach to HIPAA, not a HIPAA approach to security."
Kelly Jackson Higgins, Senior Editor, Dark Reading