Compliance ≠ Security
The drive for organizations to adhere to industry compliance regulations is increasing each year. Regulations such as the Payment Card Industry (PCI) Data Secure Standard for retailers and the Health Insurance Portability and Accountability Act (HIPAA) for healthcare organizations, require IT administrators to implement controls necessary to support their compliance framework. If an organization fails to adhere to the regulatory standards, it can face significant fines, as well as suffer damage to its brand.
Compliance standards provide recommendations and a great framework for controls that should be implemented within an organization. These standards are intended to push organizations to utilize the best practices and build a daily routine of awareness. For example, the objective of PCI-DSS 5.1 is to ensure that organizations protect all of their systems and devices against malware and regularly update their anti-malware software.
As you are aware, compliance does not equal security. You may have managed to implement the controls outlined in HIPAA 164.312, which highlights the technical safeguards necessary to protect patient data; however, that does not mean that your network is still completely safe from threats or that an employee won't lose an unencrypted laptop full of patient data. The guidelines provided in the respective industry compliance should serve as a template for your security program, enabling your organization to build out a robust security strategy from that foundation.
People, Process, & Technology
While compliance controls can help organizations understand what is necessary to secure the rights of consumers’ data, they don’t ensure complete security, and are only successful if they are implemented correctly and maintained continuously throughout the year. Key attributes of a good security program include:
- Discover devices and software
- Perform analysis
- Identify security risks
- Report on key risks to enable remediation
This process should be continuous and security administrators should determine how they can establish these attributes and perpetuate this process throughout the organization.
A well-founded security and compliance must address the three legs of the proverbial stool - people, process, and technology. Let’s start with people, once you have defined a policy that meets not only your compliance requirements, but also your security needs, you need to educate your organization on the new policy. What is the policy and how can they best support it? You build this through education, training classes or even web-based training (WBT), which is then offered to all of the employees on a regular basis.
The next leg is the process, which is now that you know what you want to try to achieve, how do you achieve it? What are the processes and workflows that your organization will undertake as part of this program that will ensure a successful execution? Once you have finalized the steps necessary to implement the policy, document and store these processes where all of the employees will have access.
Finally, we have technology, which can help administrators automate their entire workflow; starting with the discovery of devices and the software running in your network. Understanding what you have and where it is being used is best identified by tools that have the ability to quickly assess what devices come into your network and what software they are running. Following the discovery, detection tools can enable administrators to quickly analyze and assess the security risk of the assets and/or software, providing a detailed report on the analysis that can then allow administrators to understand the issues and determine an appropriate course of action.
Now What?
Where do you go from here? Bob Russo, General Manager at the PCI Security Standards Council, said “There’s too much focus on cramming for the test and not on being a good student year round. We have to change the conversation in the boardroom and all the way down and across our businesses. Security has to be a daily priority, built into business practices, not a one-time effort.” Taking this to heart, organizations should invest in building out security and compliance programs that are complimentary, and work to achieve the best security framework for your organization and your customers.
Reflecting back on the process outlined above, organizations should invest in solutions that provide the visibility and detection capabilities necessary, as well as ensure continuous adherence to the compliance and security policies defined. A technology platform that addresses all of the key security and compliance technology attributes is OPSWAT Gears. The cloud-based solution has the ability to perform a discovery of all the devices and software in your network, analyze the information, identify security risks to your network and compliance policy, and how you can best remediate them to get back on track.
Utilizing a powerful tool such as Gears and combining it with a well-defined security and compliance policy and the proper education of employees, will ensure the successful implementation of a security strategy that will protect your network moving forward!
