Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/4/2019
10:30 AM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Managing Security in Today's Compliance and Regulatory Environment

Instead of losing sight of the cybersecurity forest as we navigate the compliance trees, consolidate and simplify regulatory compliance efforts to keep your eyes on the security prize.

Two cause-and-effect trends have become increasingly apparent to many industry observers over the past 10 years: (1) cybersecurity compliance and regulatory requirements will only continue to increase in coverage, stringency, and number to address the (2) multitude of threats, vulnerabilities, data handling scandals, and cyber exploits present in today's cyber landscape.

While it has become accepted that "compliance does not equal security," it's also generally accepted that there is some correlation between the two. One recent survey by SolarWinds found that over 70% of security professionals in the federal government — one of the most heavily regulated cyber domains in the world — agreed with the statement that "compliance has helped me improve my cybersecurity capabilities." But for many organizations, complying with one regulation — say, PCI — isn't always the end. Countries, states, specific industries, customer vendor management programs and nongovernmental bodies like the Payment Card Industry Security Standards Council impose regulatory requirements and compliance obligations on private sector organizations from all sorts of industries.

Beyond obvious industries that traditionally have been heavily regulated (including finance, healthcare, and critical infrastructure), cybersecurity compliance and regulatory requirements now most heavily affect technology-focused industries that depend on customer trust to sell services: namely, cloud service providers. AWS alone publicly discloses compliance with almost 35 different cybersecurity regulations and compliance frameworks, while the market for compliant cloud services generates tremendous interest because of the ongoing shift to cloud IT prevalent in many industries.

Cloud service providers have an incentive to comply with as broad and deep a set of cybersecurity compliance and regulatory requirements as feasible because of the growing recognition that cybersecurity and public disclosure of compliance certification and regulatory adherence in data-dependent and IT-rich industries is a business enabler, not necessarily an inhibitor or a cost center.

But not every industry has the same drivers, and the impact of cybersecurity regulations extends far beyond industries who drive revenue with technology. Recent changes to the Department of Defense acquisition regulations and the advent of the EU's General Data Protection Regulation, for instance, have promulgated cybersecurity requirements to sectors of the economy that traditionally had little to concern themselves with cybersecurity. And the effects of all of this are expected to continue to manifest as high-profile breaches, misuse of data, and critical security vulnerabilities continue to make front-page headlines around the world.

What cybersecurity regulatory bodies appear to be slowly inducing in the industries they regulate and oversee is the problem of audit fatigue — poor security or operational outcomes due to a preoccupation with positive compliance outcomes instead of positive security outcomes, or the exhaustion of valuable security and engineering time and resources due to audit demands. For some highly regulated organizations, this is not a new problem — the 2015 US Office of Personnel Management data breach post-mortem even attributed part of the cause of the incident to the problem of audit fatigue. This phenomenon isn't exclusive to regulation-intensive industries and technology-driven organizations; it can realistically be diagnosed at organizations that are just now encountering their first regulatory requirements around cybersecurity and are struggling to cope

There are many proposed solutions to the problem of audit fatigue in a cybersecurity setting. Concepts such as consolidated audits and assessments, coordinated regulatory and compliance mappings, evidence-based compliance management, more effectively modeled GRC (governance, risk management, and compliance) tooling, compliance automation, and security outcome-based efforts all show promise. Regulatory bodies (most notably the federal government) have also shown progress in moving in the direction of risk-based compliance certification and continuous monitoring emphasis as opposed to point-in-time auditing, allowing organizations some much-needed flexibility when working to comply with new requirements.

Recommendations
For organizations that aren't experienced with cybersecurity regulatory or compliance obligations, however, there isn't necessarily a panacea to address the problem of learning to comply with compliance overhead in the first place or proactively planning for a future where the regulatory landscape becomes more stringent and more imposing. Before exploring industry solutions and techniques that are often oriented at organizations already well versed in compliance and regulatory requirements, here are a few recommendations for security professionals who are just beginning to dive into compliance and regulatory requirements that affect their organization (and some helpful reminders for those of us who have had to navigate a regulatory regime in the past):

1. Remember that security principles and core concepts haven't changed much. There are still high-impact security initiatives that can demonstrate immediate results, such as the deployment of multifactor authentication, implementation of security training, or clear definition of network security boundaries and access authorization. When in doubt, prioritize security concerns that have traditionally been considered high-impact. The CIS (previously SANS) top 20 security controls and other industry standard checklists often provide a good starting point when beginning such an undertaking.

2. Conduct your own cursory assessment of risk and regulatory concern as soon as feasible. Even in security-immature organizations, many security professionals already have a good idea of where "the bodies are buried." Taking stock of processes, norms, data stores, access structures, and systems that are considered high risk can formalize this implicit understanding of what's at stake and which efforts to prioritize.

3. Whether or not you're subject to regulatory or compliance pressure (but especially if you are), develop a 1-/3-/5-year compliance road map to augment the existing IT or security investment and implementation road map. Having a plan of action not only provides directional clarity to internal management stakeholders who may just be learning of what impact a new requirement has on the underlying business, it also provides external regulatory bodies and auditors assurance that you are taking your obligations seriously and has been known to reduce pressure on organizations that can't feasibly comply with a particular obligation within the expected time frame.

Related Content:

Andrew Williams is the Director of Program Development at Coalfire. In this role, he is responsible for working closely with Coalfire customers, industry bodies and regulatory authorities, and internal stakeholders to ensure Coalfire's services, delivery, and talent are ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18218
PUBLISHED: 2019-10-21
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
CVE-2019-18217
PUBLISHED: 2019-10-21
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
CVE-2019-16862
PUBLISHED: 2019-10-21
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
CVE-2019-17409
PUBLISHED: 2019-10-21
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVE-2019-10715
PUBLISHED: 2019-10-21
There is Stored XSS in Verodin Director before 3.5.4.0 via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.