Staying Current with Compliance and Security RequirementsTE: With such a broad range of regulations and standards that you have to be familiar with, how do you keep up to date? MH: It’s a couple of things. I spend a lot of time in the evenings reading the news so that I'm at least familiar with the various new terms that are coming out. And then as a customer approaches me, a lot of times I'll do a little bit of research to brush up on my existing knowledge or make sure that the requirements haven't changed. If it's been something I haven't dealt with in a while, it could be a challenge. It's a kind of like playing like whack-a-mole where I need to go do some research if something pops up. Other times, it's a standard approach of spending an hour or so or more a day reading what's out there, what's available and, and searching for it specifically. So, you know, top of my reading list, the past couple of weeks, couple of months actually has been the new Department of Defense’s (DOD’s) Cybersecurity Maturity Model Certification (CMMC). I’ll tell you why that is:
The reason for that is because there's a lot of myths out there. Even the DOD just this past week had to come out with a statement about some of those myths and the fact that they have not certified anybody yet to actually certify a provider like us. So, they don't have a third-party assessment organization yet that can assess an organization like DataBank so we can move forward with CMMC certification. And the reason they had to come out with that is because there's been a lot of companies, a lot of assessment and audit companies that are out there claiming to be able to certify a company against CMMC.That’s just not the truth. So, one of the biggest challenges that I have is searching for the truth. One of the ways I do that is by going back to the source. I went back to the DOD head of that portion of the organization, and I looked at that person's tweets and other social media posts. I ultimately found exactly what I was looking for in that article.
Continuous Monitoring: The Key to Multiple Audits a YearTE: You mentioned a couple of different compliance standards before, and given that you're in a shared tenant environment, I can’t help but think about the statement, “There's no such thing as compliance without audit.” I have to assume that you end up dealing with auditors and auditing across the board in your role. Is that right? MH: Absolutely. Well, I deal with five different audits a year. TE: What's your best advice for operating an environment with multiple audits like that? MH: There are a couple of strategies that I take. First, I've looked at my audits and tried to group them together so we could do some of them simultaneously. I cannot do my FedRAMP at the same time as the others. Typically, the Third-Party Assessment Organizations (3PAOs) that do the FedRAMP audits may be able to do an SSAE 18 audit or another type of audit, but they typically will not do those simultaneously with the same evidence. There are different evidence pieces and artifacts that are collected. So, I break them out. I do the FedRAMP audits in the spring, and I do my PCI, my HIPAA and my SSAE 18 audits in the fall because we can reuse artifacts for those three. The second strategy is using a common baseline for security controls. So, we're a NIST 800-53 revision for a security control shop. Everything that I do is geared towards complying with NIST because that's our highest standard. And if there is a particular control in another standard that causes me to raise that, I will for that one control. So, an example is that the NIST standards ask you to do a penetration test on an annual basis, whereas PCI asks it to be done twice a year. So, we raise it to that twice-a-year level. To make this work, have a continuous monitoring process in place that allows you to collect as many artifacts as you can without bothering other people throughout the organization. TE: So, do you aim to be essentially continuously audit-ready in that sense? MH: Yes. The heart of continuous monitoring is that you're essentially audit ready for most of your organizations. We do daily, weekly, monthly and quarterly continuous monitoring. TE: Yeah. And then there’s the other challenge of shared infrastructure. You've got tenant-specific infrastructure, and then of course, the customers have their own infrastructure. There's some interesting boundaries there to deal with in terms of audit and compliance. Right? MH: Absolutely. And so, one of the best things that's come out of PCI is the requirement to have a diagram that identifies the boundaries that DataBank is responsible for and what the customer is responsible for. So, that responsibility matrix in my type of environment is paramount to success because it limits what my auditor audits. It clearly documents and defines for my customers what they need to go and do and what their auditors need to do. TE: What about the difference between small customers and large enterprises. Are there specific verticals that are particularly interesting or challenging from a security standpoint? MH: Yeah. It's not the verticals that are challenging. It's the size of the corporation.
You would think that the larger the corporation, the more people they have watching you, the bigger the problem that they will be. And that's absolutely not true actually. The bigger they are, the more cooperation we get because they understand where the boundaries are, and they understand their responsibilities better. Where I've found the biggest challenge is the smaller the company and the less technical the company is, the more that they are or the less that they are informed on what they should be doing.