The most common mistakes that can lead to flagged audits

Dark Reading Staff, Dark Reading

August 15, 2011

7 Min Read

Complying with security mandates is rarely easy. But most organizations make it even harder than necessary by failing to learn from the mistakes of others when developing their compliance programs.

For as much time and effort is spent at most enterprise and government organizations in complying with regulatory and standards body mandates, an awful lot of security firms can't seem to get compliance right. A study earlier this year showed that half of organizations have failed an audit, and 75 percent were not sure they'd pass their audits in the future.

According to most security and compliance experts, so many organizations fail because they're making the same mistakes time and time again. The following are some of the most frequent blunders made:

1. Managers Don't Think Like Auditors
Over the years, IT auditing veteran Glenn Gibson has seen far too many mid- to upper-level IT executives botch compliance efforts because they don't truly understand the regulations or standards they're availing themselves to. He believes that many organizations can't satisfy auditors' demands because they don't have managers in place that can see their objectives with an auditor's eye.

He says that some of the most successful organizations in both compliance and security have policies that promote auditors from within.

"I've seen some companies where when you're hired as an auditor, you're only going to be one for two or three years and after that you're going to be moved into management," says Gibson, principal of security firm Zander Edward. "I think that is a very good way to do business if you're going to compensate those people well enough to stay, so they don't take that management and audit skill set and leave."

2. Resources Don't Match The Requirements
In government, the dreaded "unfunded mandate" is one of the biggest reasons why agencies can't comply with rules both in and out of IT. The fact is that compliance efforts take manpower and technology to work. And both require resources.

"The money has to be there," says Gibson.

It isn't just a question of budgeting, but also of allocating the right staff to the efforts.

"Companies assign security duties to those least likely to fulfill them well: junior employees without security training or experience," says Bill Horne, owner of security consulting firm William Warren Consulting, "Usually it is part of the 'when you have time' lists given to apprentice system administrators who are most likely to bypass security restrictions when a senior employee asks them for a favor."

3. Organizations Ignore Human Nature
"There's a huge human nature element to compliance mandates," says Jeff Nigriny, CEO of CertiPath, an identity and credential certification organization specializing in government compliance. He believes that many organizations fail to comply when users aren't accounted for. End users must be properly trained, and they need to be apprised of the consequences of not following compliance policies.

The stick used to enforce compliance from end users doesn't necessarily always have to be as extreme as termination, either. Sometimes a humorous dose of embarrassment can work, too. When Nigriny was the CSO at an aerospace defense contractor, he had a bit of instructive fun with users who didn't follow company policy to lock unattended PCs. When he walked company halls and saw unlocked computers, he'd sit down and write emails on the user's behalf.

"I tried to make them funny. We had a manager that had a large team, and I told his entire team that he wasn't able to use all his vacation time for the year and the first people that got to HR to ask for it could use his remaining vacation time as paid time off," he says. "There was a huge line at HR and he figured out what happened shortly thereafter."

NEXT: Four more blunders. 4. Efforts Aren't Future-Proofed
According to Ben Wright, a SANS Institute instructor and attorney specializing in IT compliance and security law, the organizations that don't write policies with flexible enough language to account for business and technology changes are setting themselves up for failure.

"Policies are written to require methods or technologies that will not make sense in all circumstances as time goes by. Any organization is constantly changing. After a policy is written, the organization's capabilities can change on account of things like merger, downsizing, or bankruptcy," Wright says. "A policy setting many hard requirements may not always be followed, possibly for very good economic or operation reasons."

In general, organizations have to work to not only future-proof internal policy documents, but also to align current security practices with sometimes outdated regulations.

"Most compliance requirements are a decade old and do not reflect the current work environment. One of the best examples would be PCI -- the world has gone virtual and only this past year did we see any meaningful guidance from PCI regarding virtualization," says Paul Henry, security and forensic analyst for endpoint security firm Lumension. "Organizations need to work closely with auditors to validate that within their environment using current generation technologies that the compliance mandates are being met."

5. Compliance Is Isolated To IT
While the buck stops at IT's doorstep when it comes to carrying out compliance objectives, many organizations fail because line-of-business executives and the legal department aren't looped into the process.

"You need buy-in across the board for a workable compliance effort," Henry says. "Each stakeholder will have different views of compliance; bringing everyone to the table to create the vision of compliance as providing better vision in to business processes can actually reduce security risks while improving traditional business processes and reducing legal exposure is a key element to success."

6. Businesses Bite Off More Than They Can Chew
While there are certainly plenty of compliance mandates piled onto organizations involuntarily -- PCI, SOX, and HIPAA come to mind -- many organizations bring more unnecessary compliance work upon themselves before they're ready.

Before enterprises embark on the road to complying with something like SAS 70, Cobi,t or ISO standards, they need to be sure they're ready for the process and that the objective really is necessary and aligns with business objectives.

"I think the biggest mistake is biting off more than the organization can chew," says Michael Figueroa, senior vice president at security consulting firm InfusionPoints. "A lot of organizations hear the buzzwords and say, 'We should be SAS 70 compliant,' or, 'We need to be ISO certified,' without really understand what it means to do that. Then they either end up trying to do everything they can to get that piece of paper without actually following the policies they say they will, or they get overwhelmed and try to hide things from the auditors so they can get that piece of paper."

7. Policies Aren't Tied To Assessment Or Automation
When organizations write compliance policies that can't be properly assessed, there's no way to measure or prove they're being followed.

"If you cannot observe its state over time, it’s impact on your security is minimal and should not be part of your governance program," says Tim "TK" Keanini, CTO of security and compliance auditing firm nCircle.

Similarly, organizations tend to fall down on compliance when they do everything manually.

"Automation has to be applied to as many security processes as possible because it is the only way to get a comprehensive handle on the rapid changes in the threat environment," says Keanini, who suggests organizations review quarterly those processes that can't be automated in case new technology comes on the market to change the game. "New or more affordable technology may be available to help do things that were previously impossible.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights