Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

12/5/2011
04:59 PM
50%
50%

2012 Compliance Checklist

Security professionals need to consider these best practices and new compliance requirements as they ring in a new year

Work Toward Continuous Monitoring
Michael Hamelin, chief security architect for Tufin, predicts that 2012 will be the year of continuous compliance in many auditors' books.

"In other words, organizations will have to demonstrate that they can track any changes to their compliance posture and audit as needed, as opposed to referring back to a single point in time based on their last audit," Hamelin says. "As a result, investing in automating the audit process will be top of project lists for 2012, which will result in many organizations adopting more mature and effective processes for managing compliance." The automation part is the key, says Patrick Taylor, CEO of Oversight Systems, who emphasizes continuous monitoring as a path to continuous compliance.

“Even the best defenses are routinely defeated by social engineering and other surprisingly low-tech attacks. Businesses need to find and correct fraudulent transactions that come from these attacks as they are recorded, not weeks or months after the fact," he says. "Continuous monitoring uses targeted real-time analytics to deliver this additional line of protection -- even when network defenses have been thoroughly compromised.”

Make Someone Accountable
If you haven't done so already, then make 2012 the year that your organization appoints ownership of compliance responsibilities to someone.

"Assign clear compliance responsibility to a specific authority within your organization. And along with that responsibility, don't forget to give them the authority to actually meet those goals," says Jon Heimerl, director of strategic security for Solutionary. "Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process."

Watch Out For HIPAA Audits
Healthcare organizations could be in for a big-time reality check in 2012, Heimerl warns.

"The Office for Civil Rights (OCR) has initiated a pilot program to audit Covered Entities for HIPAA compliance," he says. "The program is a pretty aggressive program and will help lead to more frequent HIPAA compliance audits in the future."

One of the most important things to understand about this program is that when the organization in question is notified by OCR that it is subject to audit, it will have only 10 days to submit all of the required compliance documentation. That means if you aren't already prepared, you're pretty much up the proverbial creek without a paddle.

"This time frame is short enough that if you do not have your compliance well-defined, you will not be in a position where you will be able to meet this deadline," he says.

Treat FinCEN Seriously
Financial institutions might be focused on FFIEC right now, but they'd do well to keep an eye out for new updates from the Financial Crimes Enforcement Network (FinCEN) to its requirements for managing electronic reporting for Suspicious Activity Report (SAR) filing that will potentially go into effect in June.

"The Department of Treasury is serious about this update, and we should take it seriously when they discuss fines for noncompliance," Heimerl says.

Get IAM Control
One of the most impactful ways to improve audit results in 2012 and beyond is to do a better job bringing privileges into check and revamping identity and access management strategies to improve control and visibility.

"Identity and access management is a key component of an effective compliance strategy. Organizations cannot maintain control of compliance processes unless they know who has access to vital IT resources and what they're using them for," says Dave Fowler, the COO of Courion. "That calls for intelligence based on user data that quickly reveals associations and patterns that might violate compliance guidelines and company policies, or indicates hidden risks."

Top of the IAM to-do list should be the application of the rule of least privilege within all environments.

"Eliminating overprivileged users inside your organization will aid in compliance satisfaction as most regulations -- SOX, HiPAA, GLB, PCI -- have a clause on level of access to key IT assets," says Jim Zierick, executive vice president of product operations at BeyondTrust. "All IT assets need administration, but this level of privilege also opens the path to abuse and actions outside of corporate governance or regulated policies. "

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...