Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/22/2010
04:14 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Tripwire Unveils Nine Best Practices To Achieve Compliance And Mitigate Security Risk

Steps focus on best practices for avoiding audit fatigue

PORTLAND, OR – June 22, 2010 – Tripwire, a leading global provider of IT security and compliance automation solutions, today introduced nine key steps to building a streamlined and effective information security compliance program for both enterprises and government agencies, compiled as a result of research conducted by Tripwire's Gene Kim and Jennifer Bayuk of the Stevens Institute of Technology.

"A common, and fundamentally flawed, approach to meeting information security goals is to focus exclusively on achieving compliance," said Gene Kim, CTO and Co-founder of Tripwire. "Organizations who follow this approach tend to follow a cycle of crisis-driven audit preparation, audit, audit findings, remediation and retesting -- which may also be followed by a highly political search of who is to blame for an unsuccessful audit."

In an effort to help organizations break this vicious cycle and ensure that information security becomes an integral part of daily business operations, Kim recommends that businesses adhere to the following nine best practices:

1) Align with the tone at the top -- Ensure that compliance activity is clearly managed from the top down. 2) Create a set of merged information security and compliance/business goals -- Document IT governance goals and risks to achieving those goals, and confirm that information security and compliance helps achieve those goals. 3) Define ideal information security goal indicators -- Develop theoretical ideal indicators that demonstrate that information security goals are being met. 4) Gain an end-to-end understanding of information flow -- Do an end-to-end business process walk-through to understand and document:

* Where sensitive information enters, transits, is stored, and exits the organization * Specific risks to organizational goals and information flow * Where reliance is placed on technology to prevent and detect control failures

5) Agree upon control ownership, roles and responsibilities -- Clearly define roles and responsibilities for audit compliance activities at the process owner level. 6) Define the control tests so business process control owners will agree with the results -- Make sure evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand. 7) Schedule and conduct regular control tests -- Conduct tests of controls effectiveness frequently enough to be able to rely on their effectiveness regardless of variances in audit scope and timing. 8) Organize metrics and remediation reports -- Track the completion of required remediation work, ideally to be completed well in advance of the audit. 9) Detect and respond to significant changes to the control environment -- Have the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redone (for example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).

Gene Kim will present to information security professionals on this topic today at the Gartner Security & Risk Management Summit in National Harbor, Maryland at 4 p.m. ET, during a session titled "Avoiding Audit Fatigue: Achieving Compliance In A Multicompliance World." To download a whitepaper on the topic, please visit: http://www.tripwire.com/register/?resourceId=9854&cat=Compliance&type=wp/.

About Tripwire Tripwire is a leading global provider of IT security and compliance automation solutions that helps businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...