Leveraging Compliance For Security

One of the big issues facing companies these days is compliance – Sarbanes-Oxley, GLBA, PCI, and there will undoubtedly be more in the coming years. As a result, vendors are pushing all sorts of products that purport to help solve the compliance problem. However, compliance is not a technology problem – it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations. Business processes tie together the people and technology that comprise a company’s operational environment. Roughly equivalent in function to ligaments and tendons in physical performance, poor business processes weaken a company’s fiscal performance. An ineffective sales tracking system, for example, will cause major problems in terms of production schedules, order fulfillment, and customer satisfaction. On the regulatory side, such an ineffective system will negatively impact a Sarbanes-Oxley (SOX) audit, since control of both quotes and orders is necessary to know and validate a company’s financial standing. Consistent, repeatable processes should be the goal of every company to ensure sustainability. They are also the cornerstone of many different compliance frameworks, including: SOX, the Payment Card Industry (PCI), ISO 17799/27001, Common Criteria (ISO/IEC 15408), and GLBA; not to mention other local and international standards. I’ve outlined three steps below for designing business processes that, when well executed, will not only improve a company’s operations, but will also ease the workload related to proving compliance. Those steps are: Separation of duties: Create a simple system of checks and balances, for example by investing expenditure approval authority and check writing authority in two different entities or individuals. A basic principle set out famously in the US Constitution, this is simple and reduces the opportunity for embezzlement, for inappropriate procurement awards, and even for stock manipulation. In a high-risk environment, a company may rotate duties to prevent collusion. For instance, the Federal Reserve Board requires authorization by individuals from at least three different groups to move gold from one vault to another; designated representatives from each of these groups are rotated regularly as well. Need to know: Limit access to critical information to those few people who have a true need to know. Establish a process for regular review of these access lists. Quarterly or semi-annual review is fairly standard for sensitive applications, augmented by additional reviews triggered when an employee changes job roles to ensure that privileges are not kept by default beyond their relevance to actual job requirements. In the case of access to all corporate financials, a few key executives and auditors should be sufficient. Regardless of the mandates of PCI, the most prudent course is to encrypt the numbers for all credit card information that is handled and to minimize the number of people who have the ability to decrypt the data. People who don’t have access to data can neither lose nor steal it. Scrutinize the use of credit card information to verify consistency with company privacy and confidentiality policies. Never use real credit card data for test systems. Monitoring tools can also help identify vulnerabilities in this access control system. This general principle aligns with auditing requirements for both SOX and PCI compliance. Change management: Establish the framework for change – and, ironically, business continuity – by fully describing the system that exists. Often perceived as tedious, with burdensome documentation requirements, change management is a key control mechanism for managing and securing financial systems. Auditors appreciate the value of solid change management practices; companies should appreciate spending less time and money on audits.An effective change management process is methodical and simple. Document all system configurations or implement an automated tool to discover system configurations and record them by date. Detail the steps required for user moves, adds, and changes, and establish an audit trail. Record proactive security events, such as patch applications and anti-virus (AV) updates. Assign to each process business owners who are responsible for maintaining and documenting the process. Record all changes manually or automatically. When anomalies are observed or something “breaks,” consult the change log for clues about the likely origin for the malfunction. The documentation serves the additional purposes of increasing uptime, improving reliability, and speeding mean time to recovery. It forms the basis for a business systems resiliency or disaster recovery plan, especially when enhanced by including key contact and license/registration information. For multi-owner processes, assign responsibility for prioritizing and approving changes to a change management committee or board. This board, especially on the applications side, should have the ability to understand the dynamics of conflicting business requirements (internal and external), regulatory requirements (external), and the risk potential inherent in changes requested from different groups. A review board with a holistic view of the system for which change is contemplated will be able to identify hazards, negotiate details, and explain and “market” prioritizations to their individual work groups. If a business process needs to be changed, change it. I have laid out three key elements to consider when designing a business process or when revamping a business process in response to new or existing compliance, security, or environmental needs. Those elements are separation of duties, need to know, and change management. The benefits are lower cost and more reliable operations, less time and money spent on audits, and greater peace of mind for the organization.Business drives changes in process. Technology may enable – or inhibit – change, but it does not drive change. Consistent communications must exist, however, between functional areas (e.g., information technology) and lines of business (e.g., product engineering or consumer loans). Such communication facilitates incremental adjustments in technology deployment that must be recorded in system configuration documents, process updates, and business continuity plans. The continuous realignment of IT and business practice is comparable to the quality movements in manufacturing processes. Technology reinforces and supports changes in process. Tools should not determine the nature of change, nor how change is implemented. Leverage the existing change management

Read Post

Interview With Mike Rothman, Part 1

Right now I’m probably lying in bed with some weird motorized ice pack strapped to my shoulder, and (hopefully) some pain meds running amok in my system. I suspect most of you are a little more comfortable at the moment, but hopefully on fewer drugs. Before diving under the knife, Mike Rothman agreed to an email interview. I’ve known Mike for something like 5-6 years now (I think). If you read this blog, the odds are pretty darn high you also read Mike’s Security Incite. It’s the best nearly-daily analysis of what’s going on in the security world. Rather than providing a simple list of links, Mike includes his own analysis on 3-4 news stories and 3-4 blog entries a day. Mike is also author of the Pragmatic CSO– a must-read for every aspiring security manager. He’s also the crazy SOB that convinced me you can make it as an independent, so I might be a little biased in his favor. Here’s the first half of the interview, and we’ll finish it off tomorrow… Thanks for joining me today, Mike, especially since it’s actually a week before today, and right now I’m probably drugged up with my arm in a sling, sitting on the couch watching Knight Rider. Who knew that the Rich Mogull has a time machine? If you patented that you really would be a Mogull. Anyhow, I hope you are feeling better and on your way to a speedy recovery. [It seems Mike doesn’t realize Knight Rider is coming back. What’s old is new, Mike.] Rather than having you talk about your past, I’d rather use this time to talk about some of your predictions for the future. Every year you publish your “Security Incites”, a mixed bag of predictions for the coming year. Some of them seem very specific and measurable, while others are, shall we say, a little fluffier. Is there a method to the madness? In fact there is. I’m constantly synthesizing information. From everything I read, every question I get, every conversation I have. Through the year I am assessing and re-assessing my positions. I go back and revisit the Incites in July and December, and by February I have a pretty good idea how they should evolve for the next year. Then I sit in a dark room, meditate for a while, and the Incites just come to me. The reality is that some of the Incites lend themselves to firm, quantifiable predictions and others not so much. Some I use to make a specific point that I think is important. Let’s talk about a few of the predictions that really stand out (for me at least). You’re predicting that 2008 will be the year network security crosses the line and finally becomes just part of the network fabric. A lot of pundits have been predicting this one for years now- what’s going to make 2008 so special? I believe that customers are voting with their dollars. They don’t want overlay solutions for network security anymore. They want their networking provider to get it right, and with the macro-economic headwinds a lot of folks expect, these customers are in no rush to roll out the technology. They have been willing to wait thus far and sooner or later the products from Big Networkers won’t totally suck. If anything, those folks are persistent and they throw a ton of money at it. They will get it right and I think 2008 is the year the security capabilities built into switches are good enough to meet most of the customer requirement. In that same prediction you bring up Network Access Control, the red headed step-child of network security. You’ve been one of the more lukewarm voices on NAC; is it a failure of the technology? Or just the market reality that big vendors see this as a way for greater lock in? To be clear, I don’t have anything against red-heads. 🙂 NAC’s issues in the market stem from two issues. First, it doesn’t solve a problem that customers think is important or urgent enough to solve. The big NAC vendors are talking about having maybe 1500 customers or something like that. And they are probably lying about that. Let’s take a market like anti-spam – which was a REAL problem – Barracuda sold to 30,000 companies in two years. If it was that big of a problem, more customers would be buying the solutions. It’s as simple as that. The second issue has to do with expectations. The NAC vendors did themselves a huge disservice by promising the world to customers. They set an expectation they couldn’t possibly meet and now you’ve got customers that are disappointed and they are telling their friends to hold off until the technology matures. Who knows when that is going to happen? So, will any NAC vendors survive on their own over the next, say, 3 years? The NAC business will suffer a severe shake-out. Quite a few will get bought, with maybe the first 1 or 2 selling for a big multiple. And no, I don’t know which 1 or 2 that will be. We will see a lot more like Caymas, just going away. Or Vernier, which got out of the NAC business altogether. That’s life in the big city. Come back tomorrow to hear Mike’s views on DLP, consumer security, and holiday card pranks. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.