Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


04:59 PM

2012 Compliance Checklist

Security professionals need to consider these best practices and new compliance requirements as they ring in a new year

Work Toward Continuous Monitoring
Michael Hamelin, chief security architect for Tufin, predicts that 2012 will be the year of continuous compliance in many auditors' books.

"In other words, organizations will have to demonstrate that they can track any changes to their compliance posture and audit as needed, as opposed to referring back to a single point in time based on their last audit," Hamelin says. "As a result, investing in automating the audit process will be top of project lists for 2012, which will result in many organizations adopting more mature and effective processes for managing compliance." The automation part is the key, says Patrick Taylor, CEO of Oversight Systems, who emphasizes continuous monitoring as a path to continuous compliance.

“Even the best defenses are routinely defeated by social engineering and other surprisingly low-tech attacks. Businesses need to find and correct fraudulent transactions that come from these attacks as they are recorded, not weeks or months after the fact," he says. "Continuous monitoring uses targeted real-time analytics to deliver this additional line of protection -- even when network defenses have been thoroughly compromised.”

Make Someone Accountable
If you haven't done so already, then make 2012 the year that your organization appoints ownership of compliance responsibilities to someone.

"Assign clear compliance responsibility to a specific authority within your organization. And along with that responsibility, don't forget to give them the authority to actually meet those goals," says Jon Heimerl, director of strategic security for Solutionary. "Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process."

Watch Out For HIPAA Audits
Healthcare organizations could be in for a big-time reality check in 2012, Heimerl warns.

"The Office for Civil Rights (OCR) has initiated a pilot program to audit Covered Entities for HIPAA compliance," he says. "The program is a pretty aggressive program and will help lead to more frequent HIPAA compliance audits in the future."

One of the most important things to understand about this program is that when the organization in question is notified by OCR that it is subject to audit, it will have only 10 days to submit all of the required compliance documentation. That means if you aren't already prepared, you're pretty much up the proverbial creek without a paddle.

"This time frame is short enough that if you do not have your compliance well-defined, you will not be in a position where you will be able to meet this deadline," he says.

Treat FinCEN Seriously
Financial institutions might be focused on FFIEC right now, but they'd do well to keep an eye out for new updates from the Financial Crimes Enforcement Network (FinCEN) to its requirements for managing electronic reporting for Suspicious Activity Report (SAR) filing that will potentially go into effect in June.

"The Department of Treasury is serious about this update, and we should take it seriously when they discuss fines for noncompliance," Heimerl says.

Get IAM Control
One of the most impactful ways to improve audit results in 2012 and beyond is to do a better job bringing privileges into check and revamping identity and access management strategies to improve control and visibility.

"Identity and access management is a key component of an effective compliance strategy. Organizations cannot maintain control of compliance processes unless they know who has access to vital IT resources and what they're using them for," says Dave Fowler, the COO of Courion. "That calls for intelligence based on user data that quickly reveals associations and patterns that might violate compliance guidelines and company policies, or indicates hidden risks."

Top of the IAM to-do list should be the application of the rule of least privilege within all environments.

"Eliminating overprivileged users inside your organization will aid in compliance satisfaction as most regulations -- SOX, HiPAA, GLB, PCI -- have a clause on level of access to key IT assets," says Jim Zierick, executive vice president of product operations at BeyondTrust. "All IT assets need administration, but this level of privilege also opens the path to abuse and actions outside of corporate governance or regulated policies. "

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.