Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/22/2010
04:14 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Tripwire Unveils Nine Best Practices To Achieve Compliance And Mitigate Security Risk

Steps focus on best practices for avoiding audit fatigue

PORTLAND, OR – June 22, 2010 – Tripwire, a leading global provider of IT security and compliance automation solutions, today introduced nine key steps to building a streamlined and effective information security compliance program for both enterprises and government agencies, compiled as a result of research conducted by Tripwire's Gene Kim and Jennifer Bayuk of the Stevens Institute of Technology.

"A common, and fundamentally flawed, approach to meeting information security goals is to focus exclusively on achieving compliance," said Gene Kim, CTO and Co-founder of Tripwire. "Organizations who follow this approach tend to follow a cycle of crisis-driven audit preparation, audit, audit findings, remediation and retesting -- which may also be followed by a highly political search of who is to blame for an unsuccessful audit."

In an effort to help organizations break this vicious cycle and ensure that information security becomes an integral part of daily business operations, Kim recommends that businesses adhere to the following nine best practices:

1) Align with the tone at the top -- Ensure that compliance activity is clearly managed from the top down. 2) Create a set of merged information security and compliance/business goals -- Document IT governance goals and risks to achieving those goals, and confirm that information security and compliance helps achieve those goals. 3) Define ideal information security goal indicators -- Develop theoretical ideal indicators that demonstrate that information security goals are being met. 4) Gain an end-to-end understanding of information flow -- Do an end-to-end business process walk-through to understand and document:

* Where sensitive information enters, transits, is stored, and exits the organization * Specific risks to organizational goals and information flow * Where reliance is placed on technology to prevent and detect control failures

5) Agree upon control ownership, roles and responsibilities -- Clearly define roles and responsibilities for audit compliance activities at the process owner level. 6) Define the control tests so business process control owners will agree with the results -- Make sure evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand. 7) Schedule and conduct regular control tests -- Conduct tests of controls effectiveness frequently enough to be able to rely on their effectiveness regardless of variances in audit scope and timing. 8) Organize metrics and remediation reports -- Track the completion of required remediation work, ideally to be completed well in advance of the audit. 9) Detect and respond to significant changes to the control environment -- Have the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redone (for example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).

Gene Kim will present to information security professionals on this topic today at the Gartner Security & Risk Management Summit in National Harbor, Maryland at 4 p.m. ET, during a session titled "Avoiding Audit Fatigue: Achieving Compliance In A Multicompliance World." To download a whitepaper on the topic, please visit: http://www.tripwire.com/register/?resourceId=9854&cat=Compliance&type=wp/.

About Tripwire Tripwire is a leading global provider of IT security and compliance automation solutions that helps businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.