ZenGRC

Simply Powerful GRC

ZenGRC Team

Vetting Vendors: You Are Not the Weakest Link

· ·

Vetting vendors can almost feel like a game show that has stakes higher than any prize. Anyone who remembers the old television show The Weakest Link can vividly recall how one by one, each contestant was told, “you are the weakest link,” until only the strongest competitor remained. Vetting vendors in the security space works similarly. When choosing a vendor, you want to have similar compliance profiles to ensure that they are not the weak link in your security profile. While it may be easy to understand your own landscape, applying that to a vendor sometimes feels more difficult. This guide offers suggestions for approaching the process of vetting vendors.

Vetting Vendors: 7 Steps to Successful Decisions

Review the IT Security Protocols

It may seem obvious to review a vendor’s security protocols, but at the same time, it may be hard to know what questions to ask. Certainly, using the vendor’s services means adhering to their requirements. For larger vendors, you may be able to find a SOC report, or SOX reports if the vendor is publicly held, that can help determine the controls used. Smaller vendors, however, may not have gone through the SOC audit process, so you will need to be in charge of reviewing the security requirements. Lisa Traina suggests in the Journal of Accountancy that organizations ask the following questions.

IT security controls: All vendors should report on the key security measures they employ, and, in fact, many publish white papers explaining their security standards. Minimum security controls that should be in place for hosted data include:

  • Strong password parameters requiring complex passwords that expire periodically and strong controls limiting administrative privileges for vendors and ensuring that vendors do not share administrative passwords and privileges;
  • Invalid login lockout settings—e.g., three strikes and you’re out;
  • Multifactor authentication to prevent logins from new systems, unidentified devices, etc.
  • Encryption of data in transmission and at rest. It is worth noting that encryption at rest is sometimes an optional feature;
  • Limits on which resources vendors are authorized to access;
  • Establishment of an audit trail to identify who, by name, accessed the systems and which data, if any, they could see and/or change.

In many ways, vetting vendors’ security stances is similar to reviewing your own. It is important, however, to keep in mind that if they fail to meet these standards, you are also at risk. Simply asking a vendor about their security profile does not protect you if their actions do not match their policy.

Ensure that the Vendor Does Penetration Testing

This is the corollary to your vendor’s IT security profile. When you look at the types of penetration testing done by your vendors, you need to think about the risk to your organization’s assets. If the vendor will be handling high risk information, you want to ensure that their pen testing methodology matches your needs. To ensure this, you want to determine whether they are incorporating both external and internal threats in their assessments.

Moreover, this review should incorporate an analysis of the type of penetration testing done. Some vendors may apply a “grey box” approach that incorporates limited knowledge of the infrastructure and provides the benefit of offering a review of Incident Response Plans and of IDS/IPS devices. Other vendors may use a “white box” approach with more in-depth coverage, targeting of specific systems, and a business impact analysis.

Use the Vendor Security Alliance Questionnaire

If you’re still not sure what questions to ask, the Vendor Security Alliance (VSA) can help. The VSA is a group of companies focused on measuring and reducing vendor risk. The VSA was founded by  Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, Go Daddy, and AirBnb. After noting that the majority of large breaches were due to vendors that were compromised, rather than attacked, these companies mobilized to protect the security of information.

The questionnaire offers seven tabs to walk a company through the things that need to be reviewed. It addresses service overview, data protection and access controls, policies, and standards, proactive security, reactive security, software supply chain, and compliance. According to the VSA, the questionnaire takes a data-risk based approach. As noted on the website, non-VSA members can send this questionnaire to their vendors. Upon completion, it may be used to assess risk and set benchmark cybersecurity risk.

Ask How They Vet Their Vendors

Almost every organization uses a vendor for some aspect of their business. In vetting vendors, you want to understand how they review their subcontractors. Ultimately, the flattening of business leads to interconnected liability. When choosing vendors, this means that their negligence may end up being your negligence.

Over at Malware Bytes, William Tsing notes, “do not accept ‘We have to protect our sources and methods.’ This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to ‘I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.’”

When vendors are part of the liability stream, their sources are your sources as well. If your vendors cannot account for their vendors, they may not be as secure as the paperwork indicates.

Assess the Vendor’s Financial Health

Vendors need to be reliable. If a vendor is having financial difficulties, they may not be able to protect your information assets or may end up causing business disruption. However, if the vendor isn’t a publicly held company, it can be difficult to find the right information. The MPI Foundation notes that some signs of poor financial health may be loss of major accounts, product or service delays, slow bill payment, asking for prepayment or quick payment, unusual price concessions, poor employee morale, high employee turnover, and workforce reductions.

The more important the vendor is to your ongoing processes, the more important the financial security of the vendor. Vetting vendors involves looking at more than just their information security profile. To protect information assets, you need to ensure that the vendor will be able to stay solvent so information will not have to be transferred multiple times.

Know the Location of Physical Facilities

The physical location of cloud based vendors poses an additional security risk. Cloud based storage reduces IT costs while also offering opportunities for scalability, reliability, and flexibility. Cloud based vendors can be risky because of the possibility that a physical location will be moved outside of the United States.
Although most cloud based providers offer “military level security,”  as one article notes, there may be additional risks to the facility’s ability to protect the equipment housing the data. When vetting vendors, you need to understand both the IT and physical security profiles to protect your organization from business disruption.

Analyze Support Availability

The old adage states, “Jack of all trades, master of none.” If businesses could do everything for themselves, they would. However, that would mean engaging in services that may not be your company’s strengths. Vendors offer the opportunity to boost your company’s ability to focus on its strengths. However,  this often means that when something goes wrong, you may have a difficult time finding the fix on your own. When vetting vendors, you want to focus on what types of technical support your organization needs from them.

James Leon lists several considerations in his article in the Journal of Accountancy, “is there 24/7 live human support? Does the vendor offer assistance in making the transition (for example, data format conversion) from your current system to theirs? Upon termination of services—when the vendor no longer serves your company—what process will the vendor follow to return your company’s data to you? Is the vendor willing to meet with and demonstrate its applications to decision makers in your company?”

When outsourcing to a vendor, it is important to understand how the vendor provides its main service to your organization. Just as important, however, is how well that service is supported when something goes wrong or when there are questions.

As more companies require more vendors to negotiate the specialty niches in a digital world, vetting vendors will increasingly become more important than before.

To learn more about how GRC automation can help with vendor management, read our eBook GRC Software Buyer’s Guide.

Wednesday’s Women in Infosec: Eleanor Dallaway

· ·

This month’s Wednesday’s Women in Infosec profile, Eleanor Dallaway, is another one of the 119 Twitter accounts you need to be following. Ms. Dallaway has a long career in the infosec space. After graduating from Loughborough University and working as a features editor at Label Magazine for a year, Ms. Dallaway began her career as assistant editor for Infosecurity Magazine. She has been with the publication since 2006. In 2013, she won the EMF Women of Influence “One to Watch” award. She also contribute’s to The Guardian’s technology section.

If you had to choose one event that led you to work in information security, what would it be and why?
I’m one of those tragic cases of serendipity – someone who fell into the information security industry by accident. Not tragic because I ended up here, tragic because our industry has failed to create defined and established career paths into the industry. My story is not unique – and the industry’s failure to actively seek out and attract new talent is a huge concern.

Why do you like working in the information security environment?
First and foremost, because the industry matters. It’s important; it makes the world a safer place. As a journalist, I can also appreciate how fast-paced it is, and there is rarely (never say never) a dull day. The fact that it’s full of intelligent, interesting people is also great, although I’d love to see more diversity.

If a n00b to the infosec world asked you for a piece of advice, what would it be?
Network, network, network. Oh, and be passionate and never stop learning.

What is the most important issue facing professionals in the information security landscape today? Why?
The skills gap crisis that we are in the midst of and that threatens to get more drastic and more catastrophic for our industry. We need more people, and it’s our responsibility as an industry to address this and work together to define career paths and encourage people to join us on this magical mystery ride!

What is the most important issue facing consumers in the information security landscape today? Why?
I think that secure (and user-friendly) authentication is one of the most important issues facing consumers today. The industry hasn’t cracked that yet, and the sooner the better.

What are your three “guilty pleasures” that have nothing to do with information security?
Bottomless Brunch. The Bachelor TV show. Sunbathing with a great book and a great cocktail.

What’s your favorite book-to-movie adaptation and why?
My teenage self would say Baz Luhrmann’s adaption of Romeo & Juliet (I’m a big Shakespeare fan) but I’m also a huge fan of The Great Gatsby. I adored the book and Luhrmann really did a fabulous job of bringing it to life on screen. I guess this answer outs me as a Leo fan…

Legal Liability in Information Security: How Compliance Can Be Used to Protect Assets

· ·

Although the word Wannacry may feel overused by now, one of the most important things going forward is going to be reviewing legal liability in information security arising out of a ransomware attack. Although incorporating a cyber insurance program into a company’s risk profile can help, clearly outlining the legal risk may feel daunting. These new areas of legal liability in information security continue to evolve meaning that risk management of these risks will continue to evolve.

Legal Liability in Information Security Changes with Technology

The Foundations of Legal Liability in Information Security

Legal liability in information security comes from several places. In the European Union, the EU Data Protection Directive established an overall obligation to protect the personal information of EU residents. In addition, some countries later implemented their own individual requirements.

In the US, the obligation to protect information comes in a more piecemeal manner. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and then the 1999 Gramm-Leach-Bliley Act (GLBA) regulated the healthcare and financial areas respectively. In 2002, the FTC and several state attorneys incorporated Section 5 of the FTC Act to address privacy of non-regulated industries.

The Fair Credit Reporting Act incorporated privacy over consumer reports. The Control the Assault of Non-Solicited Pornography and Marketing Act regulated the the collection and use of emails and telephone numbers. With the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, interception of electronic communications and computer tampering became regulated.

However, the majority of legal liability comes from case law and legal precedent that argue a common law duty to protect information. Bell v. Michigan Council in 2005 determined that the defendant owed a duty by providing safeguards.
This was followed by the US District Court in 2006 arguing in Guin v. Brazos Education that a duty of care may be established statute, such as GLBA. The 2007 case, Wolfe v. MBNA America Bank creates a foreseeable and preventable standard.

2011’s Experi-Metal, Inc. v. Comerica Bank the court argued that having strong cybersecurity safeguards and security procedures was not enough to protect the financial institution from liability, thus incorporating the Uniform Commercial Code’s definition of “good faith.” As Roland Trope noted a 2012 issue of The Business Lawyer,  

Comerica Bank therefore appears to offer as a lesson to financial institutions and their counsel that cyber-security policies and procedures need to focus not only on averting and mitigating the damage that could be done to the enterprise from a cyber-attack but also on early detection, quick intervention, and complete interdiction of cyber-fraud or other cyber exploits that have as their ultimate target and result the property of their customers. Comerica Bank suggests that it would be prudent for financial institutions and other enterprises that provide their customers online financial or commercial services to review their cyber-security precautions and consider enhancing them to improve the chances that the precautions could meet the standard set in Comerica Bank. Other federal courts may find Comerica Bank’s reasoning instructive if faced with cases that present similarly slow detection and slow and initially ineffectual responses to cyber-frauds that threaten to cause their customers significant financial damage.

In other words, as the law has evolved, companies not only have a legal obligation to protect information, but they have a legal responsibility to respond quickly.

Hacking and Legal Liability in Information Security

With all of the hubbub around the Wannacry ransomware attack in early May, most people may assume that the main liability arises out of Microsoft’s flaws that created the opening to be exploited. The legal liabilities reach further than just the exploited company.

The problem with trying to protect your organization from legal liability lies in the constantly moving target that is the judicial standard. For example, in January of 2017, the Superior Court of Pennsylvania answered questions about whether an employer has a legal duty to act reasonably to protect employee information, can a tort claim for negligence be maintained and a duty recognized by common law, and is there an implied agreement for an employer to safeguard systems to protect employee information.

Although in this instance, the court found that no duty existed, the concurrence is important to note. While a concurrence means nothing in establishing precedent, Justice Stabile stated,

I join the Majority’s opinion today, but write merely to express my view that in this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution. Today’s decision should stand for no more than the conclusion that a legal duty was not found to exist under the facts as pled in this case.

Of note here is that the court held that the company had no duty to its employees.  The law is always slower to react than reality. Important to note in the Pennsylvania case is the court not wanting to set this as a clear legal precedent.

With little regulation guiding information security, precedent weighs more heavily. One of the problems in information security will likely be that the old adage, “bad facts make bad law” will hold true.

Compliance and Legal Liability in Information Security

The death knell to most companies is losing a large, public, class action lawsuit. Protecting the organization from these kinds of lawsuits means thinking strategically about the compliance posture. Simon Isgar and Bernadette Pinto of Kennedys Law note in their article that aside from purchasing cyberinsurance companies have increased their,

investment in cyber security technology, the introduction of employee training and awareness programmes and different governance functions within an organisation, better processes related to cyber detection, including detailed scenario planning, board level reporting and management of cyber risks as part of business continuity and compliance requirements. Companies that have understood and adapted their mitigation processes to be more holistic are more successful in protecting and dealing with cyber security and data breaches.

Compliance may be peer driven in many ways. However, those pressures provide a set of “best practices” that can help mitigate the legal liability in information security lawsuits. While compliance is not a get out of jail, literally, free card, it does provide a set of protocols that lead to both detection and prompt response.
Compliance plays several roles when protecting your organization. The ability to prove due diligence in keeping the information safe is only one.  In a court of law, a company may need to prove that its protocols smoothly allowed for the detection and remediation of a breach.

This is where an automated platform can help most. Showing how well coordinated the responses are and how well documented the protocols are may help prove a lack of negligence. Being able to rapidly provide clear information showing how well your company protected itself, and its customers, can help keep the organization safe in the event of a law suit.

How To Protect Legal Documentation in the Event of Breach

When thinking about documentation required during a lawsuit, the information is not always just the processes and procedures.  Once a major breach occurs, the first thought may be hiring a forensic team to research the cause.

However, the way in which that forensic team is hired needs to be thoughtful. In order to protect information that may be discoverable later, the company needs to keep in mind how its post breach actions can impact a class action lawsuit. This also means that despite having a platform where all the information is stored, it may be important to segregate the forensic documentation to protect privilege.

Al Saikali of Shook, Hardy & Bacon, LLC makes several suggestions for his article in Data Security Law Journal based on recent holdings. Saikali notes that a forensic firm should be hired by outside counsel as opposed the the incident response team or the information security department.

Any work that a forensic firm does prior to the involvement of outside counsel is not protected. By starting the process of data collection under the umbrella of outside counsel, the information more clearly falls under attorney-client privilege. In addition, as with anything else, document, document, document. Think about the importance of privilege at all steps in your post-breach activities. Saikali suggests the following

  • ensuring that the engagement letter between the breached entity and outside counsel envisions that outside counsel may need to retain a forensic firm to help counsel provide legal advice;
  • the MSA and/or SOW between outside counsel and the forensic firm makes clear that the forensic firm is being hired for the purpose of helping counsel provide legal advice to the client;
  • limit the scope of the forensic firm’s work to those issues relevant to and necessary for counsel to render legal advice;
  • ensure that the forensic firm communicates directly (and only) with counsel in a secure and confidential manner;
  • not sharing the forensic firm’s full report with anyone other than in house counsel; and
  • incorporate the forensic firm’s report into a written legal memorandum to demonstrate how the forensic firm’s findings were used to help counsel provide legal advice to the client.

Protecting your organization from legal liability in information security means protecting your documentation. While it may feel counterintuitive to have someone disconnected from the information technology department or incident response team hiring the forensic expert, the first call after the breach should be outside counsel to protect any continued information.

To read more about how ZenGRC can help you organize your data , read our eBook “Compliance Management Best Practices: When Will Excel Crust You?”collection

6 Ways SOX Compliance Benefits An Organization

· ·

6-sox-compliance-benefits

After Sarbanes-Oxley Act of 2002 (SOX) was enacted, companies were forced to rethink their reporting to avoid penalties, but SOX compliance brings significant benefits. The new approach to financial reporting that SOX created engenders greater market trust. In fact, for private companies considering going public, these SOX compliance benefits manifest, first, as better IPO pricing. A 2014 Forbes article written by Harvard Business School Working Knowledge notes,
Despite high initial costs of the internal control mandate, evidence shows that it has proved beneficial….Another concern that the act would shrink the number of IPOs has not been borne out either; in fact, the pricing of IPOs post-SOX became less uncertain. The cost of being a publicly traded company did cause some firms to go private, but research shows these were primarily organizations that were smaller, less liquid, and more fraud-prone.
In other words, SOX implementation has strengthened the public market. A company’s SOX compliance communicates a baseline level of financial assurance in publicly-traded companies, which inspires both investor confidence and market certainty. SOX has cleaned the market of less financially-reliable companies, while new publicly-traded entrants can command higher IPO pricing. This has increased overall market strength, as well as individual corporate financial stability.
These advantages represent macro-level improvements to the broader marketplace. But what are the impacts of SOX at the level of a particular company?

Six Ways SOX Compliance Benefits the Organization

  1. Risk Triage

    Not all risks are created equal. SOX compliance benefits companies by giving them a starting point for asset analysis. SOX articulates expectations, so that organizations can predict the standard they will be held to. Understanding risks means being able to more effectively target your controls. The Information Systems Audit and Control Association (ISACA) explains,
    The most appropriate and effective way to define the right scope and the extent of testing for each Sarbanes-Oxley in-scope system is to perform a risk assessment focusing on the risks associated with Sarbanes-Oxley requirements and specific to ITGC. Risk assessment is not a new buzzword-everyone in today’s world talks about risk-based approach, risk assessments, etc., but few understand that for a risk assessment exercise to be successful, it is extremely important to identify whether the focus of risk assessment is confidentiality, integrity and/or availability, and then to define the risk criteria/parameters.
    For example, a risk assessment exercise for Payment Card Industry (PCI) Data Security Standard (DSS) compliance focuses on what should and should not be stored to ensure that credit card information is not compromised and, thus, to ensure data privacy. However, for Sarbanes-Oxley, the same approach cannot be applied, because Sarbanes-Oxley focuses on data integrity and misstatements to financial reporting. Therefore, the risk assessment criterion shifts from data privacy to data integrity.
    Focused risk assessments mean understanding the landscape of the organization’s risk exposure and controls. By learning what areas do not need to be SOX compliant, the company can focus its efforts on the in-scope areas that are the greatest risk. In addition, by learning what areas are subject to SOX and how they fit into the compliance profile, internal stakeholders gain insight into how various types of compliance overlap.

  2. Control Structure Strengthening

    Sections 302 and 404 require documentation of controls, including operations manuals, personnel policies, and recorded control processes. With this kind of documentation mandatory, many organizations may find the process overwhelming. However, the steps needed to comply can be productive for the company.
    One benefit of SOX compliance is better control awareness; how these controls fit into the big picture becomes more transparent. When auditors and management focus on internal controls through a SOX assessment, the organization quickly become more aware of how important control activities are to the financial success of the organization. The additional scrutiny that comes through a SOX assessment prompts participants to put forth even more effort to ensure that activities important to financial reporting are well-executed.
    As businesses grow, organic changes can affect controls as the company matures. Organizations that prioritize compliance sooner experience SOX compliance benefits at an earlier stage. In 2006, The Harvard Business Review‘s writers Stephen Wagner and Lee Dittmar wrote,
    PepsiCo has also benefited from updating its documentation processes. In the course of making these updates, the company determined that inadequate controls existed for pension accounting, a complex process that depends not only on the internal compensation and benefits group but on external actuaries and asset custodians. Lardieri says with dismay, “A lot of steps we assumed were being taken-account reconciliations and interest calculations and data integrity checks-actually weren’t.”
    Although it was not why they began the endeavor, PepsiCo discovered unanticipated gaps and faulty assumptions while improving controls. Organizations just starting the process may be surprised by the benefits they encounter while pursuing SOX compliance.
    The process may also highlight inefficiencies in how documentation is generated and stored. For those using spreadsheets to document their SOX compliance, information may end up scattered across an organization. Automated tools provide a single location for the documentation, providing the necessary artifacts to demonstrate controls.

  3. Better Audits

    While “better audits” is imprecise, the description’s vagueness encompasses many different aspects of the audit process. The 2016 Protiviti Sarbanes-Oxley Compliance Survey research noted that

    • For a strong majority of public companies (85 percent), either the audit committee or executive management is the executive sponsor for SOX compliance efforts. The audit committee is responsible for the broad overview of the organization’s risk management, under which SOX compliance falls. Executive management is specifically responsible for the accuracy and completeness of the organization’s internal control over financial reporting – a key component of the SOX requirements. Therefore, it makes sense that executive sponsorship falls under one of these bodies.

    • Internal audit is primarily responsible for the execution of these activities in one out of three companies (35 percent). Within a majority of organizations, either internal audit or management and/or process owners have this responsibility.

    • When it comes to testing, two-thirds of public companies rely on either their internal audit groups (46 percent) or management and/or process owners (21 percent).

    • Internal auditors performing and supporting testing efforts is not surprising, given their skill sets and independence to enable external audit reliance.

    More effective and efficient operations lead to better audit outcomes. With better internal audit outcomes, the external audit process becomes more efficient. Streamlining external audit lowers overall audit costs by lowering the cost of employee time responding to external audit requests and report results. Creating better audit evidence collection smooths user experience supporting auditors. One key way to achieve this evidence collection is with an automated platform, like ZenGRC, which provides dashboards that make Audit project management easy.

  4. Efficient Financial Reporting

    The main goal of SOX was to provide transparency in financial reporting. In doing this, the statute defined minimum standards for determining reliable information. COSO described what early efforts to comply often looked like:
    First, management probably specified a high-level financial reporting objective and sub-objectives related to preparing financial statements and disclosures. In doing so, it identified significant financial statement accounts based on the risk of material misstatement. Then, for each account or disclosure, management identified relevant financial reporting assertions, including existence, completeness, rights and obligations, valuation or allocation, presentation and disclosure, and the like. In addition, management identified underlying transactions, events, and processes supporting the respective accounts and disclosures. The result may have been a mapping of the design of your company’s internal control environment, providing evidence that control activities are in place for all relevant financial reporting assertions for all significant accounts and disclosures. If there were any significant gaps, you remediated them accordingly.
    Despite the effort needed to gather documentation and strengthen controls, completing this process allows for more-efficient, more-reliable financial reporting. Once the effort to map the control environment has been completed, the organization has grappled with compliance requirements. It is positioned, for future years, to track material changes. This makes reporting easier as the organization matures. More accurate financial reporting means less time spent needing to correct mistakes.

  5. Peak Operational Performance Early On

    Early engagement with SOX compliance benefits companies by instilling process efficiencies that position it for future growth. In his Institute of Internal Auditors North American presentation, Steve Guarini, formerly with Rehmann Group now with Cohen & Company, noted that SOX compliance would

    • Utilize a top-down approach to drive efficiency and effectiveness

    • Focus on areas of high risk, significant accounts, processes, and locations

    • Take a practical approach to “right-sizing” documentation

    • Focus on key controls versus all controls

    • Integrate IT and business processes and to maximize the benefits of controls

    • Build the control structure with the goal of maximizing operational and auditing efficiency and minimizing compliance costs

    When organizations initiate controls at an early stage, SOX compliance benefits companies by motivating them to assess their starting points and annually assess their risk. This means that controls cannot be haphazard. By beginning with a streamlined approach to risk that integrates multiple business areas, organizations can operationalize best practices early.

  6. Team Collaboration and Build Working Relationships

    SOX compliance requires deeper and more frequent collaboration among internal stakeholders. Particularly in the area of IT security, attempting to operate in isolation will constrain compliance efforts. Ernst & Young note:
    As the threat landscape rapidly changes and risks increase, companies need to change their mindset and approach toward information security and privacy to address a new normal… These are issues of importance to the C-suite, elevating the need for boards of directors, audit committees, general counsels and chief risk officers to work alongside information security and privacy officers to fully address their organization’s risk management level of due care, approach and preparedness, and to implement an Information Technology Risk Management program that is adequate and effective in managing cyber risks.
    Internal auditors and those who oversee SOX assessments must collaborate across business lines to work with those who own or contribute to financial and information controls, such as control owners, IT, or HR. SOX requirements incentivize building stronger working relationships across teams.
    At the heart of this collaboration lies communication. Automated GRC tools, like ZenGRC, ease collaboration by creating a single, accessible location where the stakeholders can meet. This location also can be controlled, providing appropriate access based on compliance role.

Looking to get started with SOX compliance and curious about how an automated tool can help? Contact one of our GRC specialists.

Infosec Standards and Regulations: A Primer Sorting Compliance By Hogwarts House

· ·

infosec standards and regulations

Sorting infosec standards and regulations into Hogwarts houses seems sort of silly at first. After all, the idea of anthropomorphizing a written set of rules and guidances isn’t really something serious people do. The Hogwarts Houses, however, come with a set of characteristics that define the students’ personalities. Various online sites have sorted politicians, celebrities, and Game of Thrones characters into their houses. People love categorizing, and the Hogwarts Houses allow people to do this in a pretty finite, fun way. Even though infosec standards and regulations don’t have personalities, the organizations that create them do.

Infosec compliance lacks the strict hierarchy of other compliance areas. Infosec standards and regulations often, though not always, act as guidances and peer suggestions. Increased consumer attention has spun much of this discussion into compliance being a selling point for revenue. With the largely diversified field, however, organizing these infosec standards and regulations into a larger guide can help negotiate the continually shifting compliance landscape.

Categorizing Infosec Standards and Regulations Using Hogwarts Houses

The Gryffindors of Infosec Standards and Regulations

Gryffindor, the house of heroes such as the titular Harry Potter and his two best friends Hermione Granger and Ron Weasley, stands as the house that most values courage, bravery, and determination.
Defining Gryffindors within the world of infosec standards and regulations means looking at those organizations bravely leading the charge of security with a sense of determination to make the world more cybersafe.

NIST
The National Institute of Standards and Technology (NIST) publishes for free its well respected Cybersecurity Framework. Providing guidance instead of punishment, the Cybersecurity Framework and NIST 800-53 help give organizations a way to start organizing their best practices without automatically spending money to get caught up on the basics. With an eye towards protecting cyber security, the NIST website also offers a free reference tool to that represents the Framework Core, a set of industry standards, guidelines, and practices.

Security Policy Framework UK
Similar to NIST, the UK Cabinet Office, National Security and INtelligence, and Government Security Profession published this eleven page document to help guide protection of government assets. It incorporates twenty “Mandatory Requirements” grouped into the seven areas of Governance, Risk Management, & Compliance, Protective Marking & Asset Control, Personnel Security, Information Security & Assurance, Physical Security, Counter-Terrorism, and Business Continuity.

OWASP
The Open Web Application Security Project  began in 2001 as an open international community allowing organizations to conceive, develop, acquire, operate, and maintain trusted applications. Although OWASP presents less compliance and more resource, it deserves a place on this list as an heroic act of industry innovation that provides guidance to members. Looking at peer driven standards, frameworks, and guidances, OWASP stands as an organization whose primary goals overlap with the traditional compliance goals set out by more formalized organizations.

The Slytherins of Infosec Standards and Regulations

Slytherin, often erroneously considered the villainous foil to Gryffindor because it housed the evil Voldemort, focuses on pride, ambition, and cunning making it less about evil and more about potentially hubristic characteristics.

This category falls to those standards and frameworks that are well respected but also require users to pay for the privilege of being compliant. In this sense, the ambition and cunning win out. Often, infosec standards and regulations are considered to be best business practices or something that should protect the industry. In this way, it makes perfect ambitious sense to monetize the experience. 

ISO
The International Organization for Standardization brings to the table some of the most recognized and most often complied with standards. ISO/IEC 27000 compliance complete with all of its related standards leads the charge for those starting their infosec standards and regulations journey. The prescriptive nature of ISO 27000 means that having copies of the standard itself matters to compliance. As a leading expert on information security, ISO has managed to leverage that into an ambitious and ongoing business.

COBIT
Created by the Information Systems Audit and Control Association (ISACA), the Control Objectives for Information Related Technology (COBIT) framework acts as a tool to help bridge the gaps between business needs and technical issues to ensure that controls are appropriately mapped. COBIT importantly serves as a tool for process based modeling. Breaking thirty four specific processes into the four specific domains of Organization, Delivering & Support, Acquiring & Implementation, and Monitoring & Evaluation, the framework offers maturity models to assess changes needed as businesses grow.

COSO
During the 1980’s, the Securities and Exchange Commission created a committee to review fraudulent reporting. Five supporting organizations of auditors and accountants joined in the review leading to the Committee of Sponsoring Organizations of the Treadway Commission (COSO). In 2013, a significant revision added to the original framework. COSO’s Internal Control – Integrated Framework identifies the five interrelated components of control environment, risk assessment, control activities, information & communication, and monitoring. Its Enterprise Risk Management – Integrated Framework developed by PricewaterhouseCoopers added strategic, operations, reporting, and compliance business objective with the eight framework components of internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & management, and monitoring.

The Hufflepuffs of Infosec Standards and Regulations

Hufflepuff, long considered the weakest house due to its students kindness and selflessness, values hard work, patience, loyalty, and fair play.
Industries have adopted their own guidelines to help their hardworking members. Both the healthcare industry and the credit card industry have created infosec standards. This idea of loyalty to their community is the reason that they are the Hufflepuffs of information security compliance. The standards are intended to help the industry members be their best making them more about hard work and fair play than other standards.

HITRUST
The Health Information Trust Alliance (HITRUST) started in 2007 to help protect patient information. The HITRUST model seeks to create baselines across the health industry that can be applied to businesses based on their risk and maturity. Instead of starting with risk and creating controls in response to those risks, HITRUST looked at the healthcare industry and determined that certain risks were more likely for their members. In doing so, the HITRUST model allows HIPAA covered entities to tailor their programs through the Common Security Framework model. HITRUST provides broad access to its common risk and compliance management frameworks hoping to support the members of its community.

PCI-DSS
The Payment Card Industry Security Standards Council (PCI) was organized by American Express, DIscover Financial Services, JCB International, Mastercard, and Visa to help promote information security over electronic payment systems. The PCI Data Security Standard (PCI DSS) has become the standard of compliance for any and all payment processors. In order to comply with PCI DSS, vendors must review their landscape to determine the scope of their risk. Following from that, they map their networks to review where information lives and travels. Because PCI DSS is an industry specific standard trying to aid its members, it offers a lot of information, such as lists of approved assessors, devices, and applications.

The Ravenclaws of Infosec Standards and Regulations

Ravenclaws, the esoteric and scholarly house, most values wit, learning, and wisdom.
The key to Ravenclaws lie in their intense desire to be factually correct. Though many would argue that regulations do not promote wisdom and learning, the rule of law that they provide fits well with the need for Ravenclaws to be in charge of information. Rules of law rely on facts. In the case of the regulations discussed, they intended to punish those without integrity or who did not think about the repercussions of actions. This makes the following the most Ravenclawed of the infosec standards and regulations.

SOX
In 2002, the Sarbanes-Oxley Act (SOX) was enacted in response to a wide array of corporate fraudulent reporting. Although the Securities and Exchange Commission (SEC) had addressed many of the concerns in SOX, corporate greed led to several companies flouting the laws. SOX intended to force ethics upon these kinds of companies by establishing penalties for those who would misreport. In the world of infosec standards and regulations, SOX Section 404 causes the greatest cost. 404 requires that business evaluate their IT environment to determine whether there are financial reporting risks and controls that address them. These risks can be internal or external. Often, they come from the way transactions in the financial statements are authorized, processed, or recorded. Once the risks are identified, 404 requires a review of controls in place. These can be anything from looking at the employee level involved in the reporting structure to looking at the automation and possibility of human error. After reviewing the controls, the organization needs to determine the risk of failure to operate as intended and the risk that failure would lead to a material misstatement in financial reports. Finally, companies are required to report on their conclusions. SOC1 reports are obtained and reviewed for the IT controls performed at third parties, such as payroll processor. A company’s SOX conclusions are published in item 9a of the public company’s SEC 10k annual filing.

GDPR
The European Union’s General Data Protection Regulation (GDPR) has made accountability and governance one of its main directives. The GDPR establishes a single set of rules that apply to all member states. However, it also expands the scope to data controllers that collect information from EU residents or process information (whether it be directly or as cloud service providers) from EU residents, or if the person about whom the data is collected is an EU resident. This means that despite not necessarily being in the EU, an organization that deals with EU resident information in this variety of ways will need to become compliant. The GDPR looks to assess the lawfulness, fairness, & transparency of privacy, limit the purpose of using information, minimize the amount of data involved, ensure information accuracy, limit the amount of storage an organization keeps on a person, and enforce the integrity and confidentiality of the information. All of these are intended to lead to accountability by the processor or controller responsible for the compliance.

HIPAA
The Health Insurance Portability and Accountability of 1996 (HIPAA) required the Secretary of Health and Human Services to enact privacy regulations to protect individually identifiable health information. The HIPAA Security Standards create a regulatory requirement that those businesses falling within its purview create administrative procedures to protect and manage protection of data, physical safeguards over computer systems and buildings preventing intrusion, technical security services that review access to information, and technical security mechanism that prevent unauthorized transmission of information.
 
How do you think we fared sorting the infosec standards and regulations into houses? Do you agree with our assessment? What would you suggest be added?