The document discusses 7 common mistakes made in IT security compliance including: decentralized policy management, failing to establish a common definition of compliance, treating compliance as a tactical issue rather than strategic, failing to test solutions before implementing them, seeing audits as a nuisance, lacking buy-in from administrators, and being unaware of hidden costs of compliance solutions. The document provides examples and effects of each mistake and recommends centralizing policy management, establishing common definitions, taking a strategic approach, thorough testing, viewing audits positively, gaining administrator support, and understanding total solution costs.

1. Avoiding 7 Common Mistakes
of IT Security Compliance
Jason Creech
Director Product Management, Policy Compliance
Qualys, Inc.

2. Agenda
Introduction
Regulatory Landscape
Disparate Needs of Stakeholders
Common Compliance Framework
Common Compliance Mistakes
Lessons Learned
Summary
2

3. IT Compliance Overview
Ensuring IT compliance with regulatory mandates, industry
standards, and internal best practice policies.
Risks of non-compliance are significant and can result in substantial
financial penalties and negative brand impact.
Compliance Programs focus on:
– Developing and maintaining IT controls and policies
– Gathering data for measuring the operational implementation of controls
– Meeting increasingly complex regulations and industry mandates
– Meeting different stakeholder needs
3

4. Regulatory Landscape
ITIL v3
Today… seeing more standards,
PIPEDA (Canada)
frameworks, regulations, many industry
FDCC/SCAP
specific…HIPAA, GLBA, FDCC, PCI NIST SP 800-53
Yet… many regulations are over a PCI Data Security Standard (PCI DSS)
decade old and still no standardization EC Data Privacy Directive
FISMA 2002
FFIEC IT Exam Handbook California SB 1386 Privacy
EU Data Protection Directive BS 7799 / ISO 17799 / 27001 / 27002
HIPAA Security Rule NERC
FDA 21 CFR Part 11 (Pharma) Sarbanes-Oxley
Basel II Accord
GLBA
2000 and
1990s
beyond
4
4

5. Disparate Needs of Stakeholders
Business Management
IT Security
• Security & compliance
• Consolidate security data summary metrics
• Proactively identify threats • Reduce costs of reporting
• Prioritize IT risks • Identify areas of risk to the LOB
• Assign and verify remediation
Different
Compliance
Needs
IT Operations
IT Audit
• Prioritized and track remediation
• Reduce audit costs
• Utilize existing remediation tools
• Automated view into security data
• Closed-loop workflow
Closed-
• Automate risk & regulatory reporting

6. Common Compliance Framework
Simple Compliance Framework
Framework
Level
Regulations SOX CobiT PCI
HIPAA COSO NIST
Frameworks GRC
GLBA ISO17799 NERC Controls
Standards Vendors Design
BU Managers/Audit
Policies,
“Example: Vulnerable Processes
Standards, Compliance
must be eliminated..”
Business
Requirements
SME
AIX 5.x Technology
Telnet streams are
CID 1130 transmitted in clear text,
The telnet including usernames and
Security
Controls passwords. The entire
daemon
(Manual/Auto) session is susceptible to
shall be
Operations
interception by Threat
disabled Agents.
Data
Procedures
Harvesting
Procedures and Guidelines
and Control
Vendors
Imp.
Guidelines Detail
Detailed
Enforcement
Technical
6

7. 7 Common Compliance Mistakes
Decentralized Policy Management
Failure to establish a compliance definition
Tactical instead of strategic response
Failure to test solutions before implementation
Treating the audit as a nuisance
Lack of buy-in from administrative resources
Unaware of the hidden cost of many compliance solutions
7

8. Decentralized Policy Management
Issue:
Many large corporations manage their security policies
across disparate locations. Each region creates their
own policies and do not conform to unified standards.
Effect:
Lack of consistent terminology and reference.
Inability to demonstrate cohesive compliance initiative.
Incompatible compliance frameworks.
Many organizations are now implementing
consolidated repositories such as SharePoint or IT
GRC solutions to manage policy content.
8

9. Common Compliance Vocabulary
Establish the Definition of Basic Concepts
Policy
Compliance
Standard
Control
Additional:
Purpose and Scope Statement:
A rationale of why the Control Statement should be implemented (ex: A malicious user
may use these accounts to access sensitive information)
Datapoint:
A check to the technology (system, network, database or application) that validates the
control (ex: grep '^+:' /etc/passwd /etc/shadow /etc/group)
Exception:
An Exception allows an auditor to accept risk and make a control pass
9

10. Tactical vs. Strategic Response
Issue:
After SOX was put into effect, many organizations
responded by creating multitudes of controls to satisfy
perceived requirements.
Effect:
An inability to comply with all the defined requirements.
Overwhelmed IT staff trying to keep up.
Organizations that used a strategic approach in
prioritizing a manageable set of controls were more
successful.
10

11. Failure to Test
Issue:
Some organizations purchased software to automate
harvesting of IT compliance data, usually information
security tools.
Effect:
In haste to get solutions implemented, test was
nonexistent or inadequate.
Solutions did not meet companies compliance needs.
Some implementations conflicted with existing functions.
Unnecessary costs incurred.
11

12. Treating the Audit as a Nuisance
Issue:
There are many benefits to an IT audit. The analysis of
business functions can identify waste and streamline
business processes. But, many organizations see audits
as a nuisance and go through the motions for appearance
only.
Effect:
Lack of buy-in from stakeholders
Perception of convenience over security can occur
System integrity can be inconsistent
12

13. Lack of Buy-In from Administrators
Issue:
Administrators of IT assets are often used to doing
things their own way. They can be very confident of
their technical ability and can assume that they are
above the rules or can erase evidence.
Effect:
Some administrators have a tendency to circumvent
acceptable process.
Policy violations can occur and become evident during
an audit.
Security issues can be introduced.
13

14. The Hidden Cost of Compliance Solutions
Issue:
Many software vendors have jumped into the compliance market.
Compliance is what is driving the bulk of security software purchases.
All vendors focus on improvement in efficiency of compliance process
via software automation, but there are hidden costs that should be
evaluated as well.
Effect:
Maintenance of IT systems (Servers, DB’s) increases resources
needed.
Education of staff on usage of solution
Technology of some systems can fall out of currency quickly
14

15. Lessons Learned
Centralize policy management and promote consistency
Establish common compliance definition and educate
Focus on strategic response to maximize efficiency
Thoroughly test solutions before implementation
Consider audits as part of necessary business analysis
Foster buy-in and collaboration from administrative
resources
Achieve an understanding of the full impact of
purchased solutions
15

16. Q&A
Thank You!
Jason Creech
jcreech@qualys.com
16