The champagne glasses are stocked away, the New Year is in full swing and now, of course, it’s time for compliance audits. Yay! (Not really.) For most, compliance is a difficult task in and of itself. Add it to the already daunting task of monitoring increasingly complex IT infrastructure and it becomes completely overwhelming. Unfortunately, all signs point toward it not getting any easier in 2015.
So, to help address compliance head-on in the New Year, here are three major compliance-related trends to be aware of, and advice on how to meet the challenges of an ever-stricter regulatory environment.
Compliance Doesn’t Equal Security
A major issue this year will be broader understanding and honest acceptance that being compliant is one thing, but being secure is something else entirely. Think of all the high profile data breaches we have seen over the past two years. How many of those companies were “compliant”? Well, quite frankly, all of them had to meet regulations and many did so successfully. Yet they still made data breach headlines.
Thus, it is important to not fall into the trap of thinking that if one adheres to compliance requirements, security is guaranteed. In fact, many regulatory bodies are now making a point to educate organizations that the compliance standards they oversee will not always ensure their company data is secure.
Less Breach Shaming, More Breach Sympathy
Due to nationwide data breach disclosure laws now in place, the news seems filled with reports of new (and sometimes old) breaches, not often lost in the coverage is commentary on compliance and if the affected companies were indeed complaint and what issues with compliance they’ve had in the past. Expect more of the same in 2015.
However, while these reports have traditionally questioned the competency of the affected organizations, thereby essentially breach shaming the companies, we have started to see more breach sympathy—“If it can happen to company XYZ, which was compliant, it could happen to us.” While this new sense of sympathy for organizations that have suffered a breach is on the rise, it will need to be fostered in 2015. Doing so will help promote better collaboration across the industry. IT professionals have traditionally excelled at sharing information and expertise on a personal level, but in the near future, organizations will begin to share information with each other to develop collective strength against shared threats. Regulatory bodies will also hopefully participate in this free exchange, which will affect both what it takes to be compliant and means to be compliant.
Continuous Compliance, Increasing Complexity
To aid in closing the gap between being compliant and actually being secure, many are moving towards a continuous compliance model to help reduce and limit exposure to compliance and security risks. This will gain steam in 2015.
Continuous compliance involves constantly reviewing processes and quickly making any necessary updates as a result of deviations from their intended performance. However, despite the fact that continuous compliance is effective at eliminating the gaps between compliance and security, it also greatly increases the complexity of managing compliance. Tools, technologies and processes to help manage this complexity will be more important than ever.
Tackling Compliance Head-On
A fourth trend to be aware of, but one that will come as no surprise, is that 2015 will see regulatory compliance standards become stricter. The following best practices will help in meeting existing and new compliance challenges head-on in 2015 and beyond.
· Thoroughly document processes, policies and procedures. Documentation is a crucial component of compliance, but it is often the most neglected aspect.Creating comprehensive, in-depth documentation will be beneficial beyond an audit. If tasked with securing the network and preparing for audits, organizing and documenting policies and procedures is absolutely critical. Compliance is an ongoing process, so it’s important to always keep documents and information current by scheduling time to review and revise documentation throughout the year.
· Clearly understand compliance requirements for the industry. Every regulated industry is different. Regardless of which flavor of compliance an organization follows—PCI DSS, HIPAA or custom corporate policies—it’s imperative to understand what exactly is required. Remember, some compliance requirements are clearly defined while others provide only vague guidelines.
· Monitor devices and systems for compliance. Once proper documentation and a clear understanding of industry requirements is achieved, the next step is to identify which network devices, systems and applications must be monitored for compliance. This step is particularly important if deploying a security information and event management tool, since these often require configuring additional applications and systems to collect logs.
· Continuously review policies and procedures. Reviewing policies and procedures on an ongoing basis, and then comparing them with the most updated requirements, helps overcome the fear and stress that often accompany audits. Meeting compliance regulations can be challenging when it comes to collecting the necessary audit trails, so continuously reviewing policies will help ease that process.
· Automate processes wherever possible. When dealing with an immense amount of data, reviewing audit trails can be a long and challenging task. Byautomating wherever possible, workloads will be decreased and processes simplified. SIEM tools and log solutions can play an important role in automating many compliance-related tasks and processes, along with providing important alerting functionality.
While following these best practices will greatly aid in easing the burden of ensuring compliance, remember, compliant does not equal secure. Beyond these best practices and beyond being compliant, organizations of all sizes need to recognize the necessity of a proactive security plan to ensure that their infrastructure and the potentially sensitive data therein remains safe and secure.
About the Author: Mav Turner is Director of Security at SolarWinds