Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Following the Regulatory Beat: Continuous Compliance

More and more industry standards and regulations promote or even mandate that organizations apply the concept of “continuous compliance”. Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. This approach can not only increase an organization’s compliance posture, but also its security efficacy.

More and more industry standards and regulations promote or even mandate that organizations apply the concept of “continuous compliance”. Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. This approach can not only increase an organization’s compliance posture, but also its security efficacy. However, there are some real technological challenges to overcome. So how can organizations achieve continuous compliance and take advantage of the benefits of leveraging a common control framework?

The number of regulations that affect average organizations can easily exceed a dozen or more, and grow more complex by the day. This is forcing most companies to dedicate an inordinate amount of resources to governance and compliance efforts – often, in addition to a lengthy list of existing IT priorities. This typically results in a mad dash, in the months leading up to the annual audit; spent gathering the data needed just to meet the auditor’s requirements. As a result, it’s not surprising that according to a Verizon Payment Card Industry Report, for PCI DSS, compliance levels drop to 18% within just 60 days of certification.

Continuous ComplianceIn today’s threat-driven environment the bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack. This has led many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) to change their approach and incorporate the concept of continuous compliance into their regulations. These renewed guidelines encourage organizations to find ways to streamline governance processes, continuously monitor compliance and their security posture, and correlate it to business criticality. By doing so, businesses can create a closed-loop process that encompasses the definition, evaluation, remediation and analysis of an organization’s risk posture on an ongoing basis.

The objective of this risk-based model is to maximize the efficiency of an organization’s IT security operations and provide visibility into risk and compliance posture. The ultimate goal is to remain in compliance, reduce risk, and harden security on a continuous basis.

For many organizations, the question is whether continuous compliance and monitoring are more time-consuming or resource intensive than current practices. Initially, it appears that way. However, to achieve continuous compliance and monitoring, organizations are forced to automate many otherwise manual, labor-intensive tasks. This in turn results in tremendous time and costs savings, increased accuracy, and overall improved operational efficiency.

Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. With continuous compliance, organizations can reduce overlap by leveraging a common control framework to increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.

Continuous monitoring implies an increased frequency of data assessments and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.

Closed-loop, risk-based remediation demands that subject matter experts within business units be enlisted to define a risk catalog and tolerances. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement. By establishing a continuous review loop of existing assets, people, processes, potential risks and possible threats, organizations can dramatically increase operational efficiency, while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time-to-resolution, investment in security operations personnel, purchases of additional security tools, etc.).

Compliance mandates were never designed to drive the IT security bus. They should play a supporting role within a dynamic security framework that is driven by risk assessment, continuous monitoring, and closed-loop remediation.

Advertisement. Scroll to continue reading.
Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...