Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/22/2010
04:14 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Tripwire Unveils Nine Best Practices To Achieve Compliance And Mitigate Security Risk

Steps focus on best practices for avoiding audit fatigue

PORTLAND, OR – June 22, 2010 – Tripwire, a leading global provider of IT security and compliance automation solutions, today introduced nine key steps to building a streamlined and effective information security compliance program for both enterprises and government agencies, compiled as a result of research conducted by Tripwire's Gene Kim and Jennifer Bayuk of the Stevens Institute of Technology.

"A common, and fundamentally flawed, approach to meeting information security goals is to focus exclusively on achieving compliance," said Gene Kim, CTO and Co-founder of Tripwire. "Organizations who follow this approach tend to follow a cycle of crisis-driven audit preparation, audit, audit findings, remediation and retesting -- which may also be followed by a highly political search of who is to blame for an unsuccessful audit."

In an effort to help organizations break this vicious cycle and ensure that information security becomes an integral part of daily business operations, Kim recommends that businesses adhere to the following nine best practices:

1) Align with the tone at the top -- Ensure that compliance activity is clearly managed from the top down. 2) Create a set of merged information security and compliance/business goals -- Document IT governance goals and risks to achieving those goals, and confirm that information security and compliance helps achieve those goals. 3) Define ideal information security goal indicators -- Develop theoretical ideal indicators that demonstrate that information security goals are being met. 4) Gain an end-to-end understanding of information flow -- Do an end-to-end business process walk-through to understand and document:

* Where sensitive information enters, transits, is stored, and exits the organization * Specific risks to organizational goals and information flow * Where reliance is placed on technology to prevent and detect control failures

5) Agree upon control ownership, roles and responsibilities -- Clearly define roles and responsibilities for audit compliance activities at the process owner level. 6) Define the control tests so business process control owners will agree with the results -- Make sure evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand. 7) Schedule and conduct regular control tests -- Conduct tests of controls effectiveness frequently enough to be able to rely on their effectiveness regardless of variances in audit scope and timing. 8) Organize metrics and remediation reports -- Track the completion of required remediation work, ideally to be completed well in advance of the audit. 9) Detect and respond to significant changes to the control environment -- Have the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redone (for example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).

Gene Kim will present to information security professionals on this topic today at the Gartner Security & Risk Management Summit in National Harbor, Maryland at 4 p.m. ET, during a session titled "Avoiding Audit Fatigue: Achieving Compliance In A Multicompliance World." To download a whitepaper on the topic, please visit: http://www.tripwire.com/register/?resourceId=9854&cat=Compliance&type=wp/.

About Tripwire Tripwire is a leading global provider of IT security and compliance automation solutions that helps businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
CVE-2019-6659
PUBLISHED: 2019-11-15
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.