Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/22/2010
04:14 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Tripwire Unveils Nine Best Practices To Achieve Compliance And Mitigate Security Risk

Steps focus on best practices for avoiding audit fatigue

PORTLAND, OR – June 22, 2010 – Tripwire, a leading global provider of IT security and compliance automation solutions, today introduced nine key steps to building a streamlined and effective information security compliance program for both enterprises and government agencies, compiled as a result of research conducted by Tripwire's Gene Kim and Jennifer Bayuk of the Stevens Institute of Technology.

"A common, and fundamentally flawed, approach to meeting information security goals is to focus exclusively on achieving compliance," said Gene Kim, CTO and Co-founder of Tripwire. "Organizations who follow this approach tend to follow a cycle of crisis-driven audit preparation, audit, audit findings, remediation and retesting -- which may also be followed by a highly political search of who is to blame for an unsuccessful audit."

In an effort to help organizations break this vicious cycle and ensure that information security becomes an integral part of daily business operations, Kim recommends that businesses adhere to the following nine best practices:

1) Align with the tone at the top -- Ensure that compliance activity is clearly managed from the top down. 2) Create a set of merged information security and compliance/business goals -- Document IT governance goals and risks to achieving those goals, and confirm that information security and compliance helps achieve those goals. 3) Define ideal information security goal indicators -- Develop theoretical ideal indicators that demonstrate that information security goals are being met. 4) Gain an end-to-end understanding of information flow -- Do an end-to-end business process walk-through to understand and document:

* Where sensitive information enters, transits, is stored, and exits the organization * Specific risks to organizational goals and information flow * Where reliance is placed on technology to prevent and detect control failures

5) Agree upon control ownership, roles and responsibilities -- Clearly define roles and responsibilities for audit compliance activities at the process owner level. 6) Define the control tests so business process control owners will agree with the results -- Make sure evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand. 7) Schedule and conduct regular control tests -- Conduct tests of controls effectiveness frequently enough to be able to rely on their effectiveness regardless of variances in audit scope and timing. 8) Organize metrics and remediation reports -- Track the completion of required remediation work, ideally to be completed well in advance of the audit. 9) Detect and respond to significant changes to the control environment -- Have the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redone (for example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).

Gene Kim will present to information security professionals on this topic today at the Gartner Security & Risk Management Summit in National Harbor, Maryland at 4 p.m. ET, during a session titled "Avoiding Audit Fatigue: Achieving Compliance In A Multicompliance World." To download a whitepaper on the topic, please visit: http://www.tripwire.com/register/?resourceId=9854&cat=Compliance&type=wp/.

About Tripwire Tripwire is a leading global provider of IT security and compliance automation solutions that helps businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13693
PUBLISHED: 2020-05-29
An unauthenticated privilege-escalation issue exists in the bbPress plugin before 2.6.5 for WordPress when New User Registration is enabled.
CVE-2020-13173
PUBLISHED: 2020-05-28
Initialization of the pcoip_credential_provider in Teradici PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows versions 19.11.1 and earlier creates an insecure named pipe, which allows an attacker to intercept sensitive information or possibly elevate privileges via pre-installing...
CVE-2019-6342
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
CVE-2020-11082
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
CVE-2020-5357
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...