Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Understanding the Purpose of Security Controls and the Need for Compliance
  • Critical Vulnerability
  • Data Breach

Understanding the Purpose of Security Controls and the Need for Compliance

6 years ago Chris Orr
Understanding the Purpose of Security Controls and the Need for Compliance

What are the brakes on a car designed to do? I have asked this question many times when speaking to customers or organizations who were dipping their toes into the audit space. Invariably, their answer was, “To stop the car.” At this point, I would then ask, “Then how do you get where you want to go?”

What Is the Purpose of Controls and a Compliance Program?

When people think about controls, especially in the information technology space, they think that controls mandated by auditors are there to get in the way. They have a feeling that all of the requirements behind PCI, SOX, HIPAA, NIST, NERC, etc. are there to prevent them from doing business the way that they want.

Organizations that I have come across have the perception that if security or the auditors would get out of the way, they would be able to sell more widgets or make more gadgets. “We trust our people to do the right thing….” Underlying that is the unspoken phrase: “We hope they will do the right thing….”

There is a well-worn cliché that stems from such a belief: Hope is not a strategy, and trust is not a control. As my old friend Gene Kim used to say, “Behind every FAA regulation is a plane crash.”

The same can be said of every IT control that you find your auditors asking about:

“Have you disabled TELNET, TFTP or other insecure services and protocols?”

“Do you have a minimum of 13-character passwords configured?”

“How often do users have to change them?”

“Can they re-use passwords?”

There are hundreds if not thousands of things that an auditor is looking for, and if your organization does not have an effective and efficient compliance program in place, you can feel like all of your time is spent answering these questions and producing evidence that what you say is true.

The less defined your compliance program is, the more the auditor has to dig to get to the truth of the matter. They will select a representative sample of systems and make your IT and security staff log into each one and verify that you have in fact disabled TELNET or other services and protocols that been proven to be hackable in the past. The more effective your compliance program is, the smaller that sample size can be, and the less time your staff will need to spend doing all of this work. Even easier would be to have a solution that can proactively test these things for you and provide reports that you can just hand to the auditor.

Executive Buy-in: The Key to Getting the Board on Your Side

A critical component is this: how do we get our executive team on board with this?

Tone at the top is the number one priority for establishing an effective and efficient compliance program. Without buy-in from upper management, there is no way that anyone below them will take audit requirements seriously. After all, if they don’t care why should we? Upper management, especially business line managers, are the ones who are most likely to be the ones who feel like security and audit requirements are going to get in the way of them doing the business they were hired to do.

Some audit requirements have penalties attached to them. If you fail a PCI audit, the organization may not be able to take credit cards anymore. Failing a NERC audit may have large fines involved. Companies that fail a SOX audit may even have criminal charges applied.

Those are all well and good, but what about companies that do not have these requirements? Does that mean that the CEO or CISO are able to ignore good audit hygiene? Do these companies not need to have an effective compliance program?

That is the problem that many organizations face. How do we get that tone at the top when there is no compliance requirement? More often than not, they would be just as happy to sign off on some checkbox solution to the whole thing to make it go away.

Whole books and treatise have been written on convincing the C-Suite of the importance of good controls even in the face of a lack of requirements, so I won’t bore you with those details here. However, we can get back to our original question, which was as follows: “What are the brakes on a car designed to do?”

The True Benefit of Security Controls

Unlike the default answer provided above, I would like to posit a new way of thinking. The brakes on a car are not designed to stop it. Instead, the brakes on a car are designed to allow the car to go faster safely.

This is the way that organizations, especially executives, need to start thinking about IT controls. They need to start thinking beyond the checkbox. The control is not there to prevent you from doing business. The control is there to allow you to do business faster. What car would you like to have? The Ferrari with no brakes or the Nissan Sentra with brakes? Which car would be able to navigate the twists and turns of a road course and make it to the finish line?

In business, the road to profit is never a straight line. There are bumps, sharp turns, dips and other obstacles. Without the effective controls that a compliance program gives an organization, it is just as likely to careen off the cliff of bankruptcy or crash into the wall of public shame from a security breach as it is to break even or post lost revenue.

Think of IT and security controls, as discussed in this white paper, as guide rails, brakes, or a steering wheel. They aren’t there to prevent you from getting to your destination. They are there to keep you on the road so you can reach it in one piece.

The post ” Understanding the Purpose of Security Controls and the Need for Compliance” appeared first on TripWire

Source:TripWire – Chris Orr

Tags: Critical Severity, Encryption, TripWire

Continue Reading

Previous Alina Point-of-Sale Malware Spotted in Ongoing Campaign
Next A Checklist for Preparing for Your Organization’s Next PCI Audit

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Ex-Google Engineer Convicted for Stealing 2,000 AI Trade Secrets for China Startup

3 days ago [email protected] (The Hacker News)

Recent Posts

  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms
  • Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access
  • China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT