Quite often, I work with customers and prospects who are looking to improve their security and/or compliance to satisfy an audit. This is often something they know they need, but they don’t look forward to the time and effort it will take to get them from where they are today to where they want to be. I am here to say this: you are not alone, and there is help. Now, I am going to propose you don’t look at the details first. This is where you can get lost. Instead let’s start at the beginning.
So you need some security or you’d like to pass your next audit? Great, this means you have plenty of resources to help you get there! What I mean by this is you’re likely looking at the “next thing,” be it FIM, logging, hiring more people, or implementing something similarly advanced. Whether you’re looking to improve processes or procedures, a policy is here to help. If you are beholden to an auditor, you are already aligned with a policy, but if that doesn’t describe you, stick with me. Most people think policy as more work. I see it as less. Here’s why.
Policy assessments are nothing more than best practices that are collected together. When these practices are implemented, they improve the state of the environment. Change happens daily, but the policy knows this. That’s why it’s pre-determined what changes are beneficial and those that are not. Now when we layer policy assessment with the rich change data, it allows you to focus on those changes you didn’t expect or want. If you are left to come up with your own best practices, would you expect pushback? Are you confident you took into account the impact of the change and how it will help? This is why policies are important. Your time and money are precious, and policies will allow you to make the best use of these limited resources.
Let’s focus for a moment on the SANS CIS Critical Security Controls. How do these help you today? Well, to start, they have prioritized the security controls in order of importance to general security. Now you have a clear and concise list of security controls to take into account. Let’s say the focus this year is logging and ensuring you can receive an alert for events of interest. The primary control is sixth in the list, so now is the time to reflect on your confidence in the five prior controls. Do you have a good device and application inventory? We all know you can’t monitor what you aren’t aware of. Are all of the critical servers and application in scope?
As we move down the list, it is also important to track changes and restrict administrative access to these devices as well. This is what I mean! You are now on a well-defined and easy to understand path. Not only in reflection on where you started, but knowing what comes next.
After logging comes e-mail and browser protection. From here, you are standing on the backs of hundreds or thousands of security experts. This isn’t something that’s been pulled from thin air. It’s a collaboration of best practices.
Is this the last word and something you must follow rigidly? No, this is just a set of best practices designed to ensure the basics are not missed and a way to see not only where you are today but the next steps as well. You are free to change prioritization, but in the end, all the controls will come in to play at some point in time. There are sections that cover everything from documentation to training of personnel to the specific controls that can be monitored with tools such as FIM, SIEM, and VM.
Let’s also cover someone who already has a policy chosen and what that means when it comes time for an audit. If you are already working with a framework such as PCI, HIPAA, or NIST , then you know there are lots of individual controls. There can be dozens or even hundreds of controls, from password length to firewalls.
Well, how do you make sense of all the systems and all the possible changes?
With a policy assessment, you can break it down into bite sized pieces. The first step is the assessment. Where are you in relation to the policy today? I have yet to encounter an auditor or QSA that demands 100% compliance, but there is likely a threshold to reach. Rather than looking at all the controls, break it down to individual tests. Take passwords, as an example. Would you prefer to look at the settings for hundreds of systems to find the one or two systems that don’t comply with the standard? With a policy and the right tools, you can complete this assessment regularly and automatically.
Now you are not lost in a sea of settings. You are simply focusing your limited time and resources on the failures of interest. Can you find a handful of systems that failed a GPO update that took them out of compliance today? This is what I mean! Small, easy bites get you from the elephant in the room to a room full of happy people.
Still not convinced? Let’s tackle some of the most common myths of policy compliance. The first thing is to address the elephant, https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf, from the “single pane of glass” to the “this is too hard!” arguments. Will you get everything you need from a single vendor? Likely not. There are many who claim to do it all, but we all know the phrase “Jack of all trades, master of none”. This is where prioritization comes into play. What have you done? What is left to do? And what resources are available?
So now you may be tempted to take systems out of scope. In this case, you may be ignoring critical data on connected systems. I tend to approach outsourcing with the same rigor as the people that make my socks. “Nobody ever outsourced anything for quality”. Now you’re likely thinking, “when do I get the good news?” Well here it comes. This isn’t just an IT project; this is a companywide project. From security to IT, everyone is part of this objective. Is it too much to tackle? No, it is a list of best practices combined with detailed descriptions as to why the recommendation is in place. If you have adopted a policy, you can now hold to that standard in the face of pushback from executives to system administrators as there is clear and concise documentation as to why these recommendations are important.
You are not alone. There is help. Use the expertise of those who have gone before you. Take the step and select a policy framework. If you already have step one complete, congratulations! It is now time to assess where you’re at in relation to the policy you picked. Next, prioritize your resources and make a plan. It can be from 30 days to 5 years, but decide what the next step is. From there, you can take each step as slowly or as quickly as you need, all the while secure in knowing what comes next.