Compliance versus Security: Looking for Gold in a Coal Mine Kristy Westphal Information Security Officer Element Payment Services ISSA- January 14, 2014

Agenda

• What does it mean to be compliant or secure? •  Standards/regulations that apply •  Finding the gold in the coal •  Putting it to use in your organization

Houston…

•  There is a problem • We used to use compliance to get security tools

in place • But then we got the tools and didn’t do the right

thing with them •  I argue that we still are not communication risk

to upper management

Let’s get this straight

• Compliance DOES NOT EQUAL security •  Target • Heartland • Hannaford •  The Briar Group • Even the Federal Reserve….

• But why?

Because I said so!

•  PCI is prescriptive ▫  But limited in scope

• HIPAA, SOX, ISO27001 ▫  All provide a pathway, but don’t dig into the

details • NIST is VERY detailed ▫  But it’s not prioritized and many outside the Fed

won’t implement

Maybe audits look a little like..?

My version of the compliance audit

PANIC Set audit date

Make up what’s missing

Prep team how to talk to an auditor

Convince auditor processes are pristine

Get clean audit/ remediation items

Organize phone books of docs

Scramble for remediation items not done from last time

It sure doesn’t look like this

Or this…

OK, it’s not ALL bad

• Regular review of documentation •  You do get to implement tools (they have to

produce a report somehow) • Compliance does avoid some fines and jail time

But…

•  If you only document compliance related stuff • But do you know what the reports you produce

mean? • But if you still get attacked…then WTF?

True Cost of Compliance •  We define a compliance activity as one that

organizations use to meet the specific rules, regulations, policies and contracts that are intended to protect information assets.

•  We define non-compliance cost as the cost that results when an organization fails to comply with rules, regulations, policies, contacts, and other legal obligations.

•  Although all organizations that participated in this study experienced both compliance and non-compliance costs, the findings demonstrate the value of investing in activities that may help an organization reduce the reactive costs of non-compliance.

Saying a lot while saying nothing

Where do we start mining?

• Understand the scope of your compliance environment ▫  Ensure it is well documented

• Understand the business priorities • Dissect your compliance reports ▫  Is the effort of what you are doing worth it? ▫  Is there a compliance aspect that should apply

elsewhere? ▫  Is there a better way to do things?

Let’s take a look at PCI (look at the pic! We’re done!)

Just kidding

Still messing with you

HIPAA •  §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) -

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

•  Conduct Risk Assessment ▫  Inquire of management as to whether formal or informal policies or practices exist

to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

▫  Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.

▫  Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity's environment.

▫  Determine if the covered entity risk assessment has been conducted on a periodic basis.

▫  Determine if the covered entity has identified all systems that contain, process, or transmit ePHI

More HIPAA! •  §164.308(a)(1)(ii)(b) - Implement security measures

sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with

•  §164.306(a)Implement a Risk Management Program ▫  Inquire of management as to whether current security

measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). ▫  Obtain and review security policies and evaluate the

content relative to the specified criteria. ▫  Determine if the security policy has been approved and

updated on a periodic basis. ▫  Determine if security standards address data moved within

the organization and data sent out of the organization.

SOX •  There is typically something related to: upper

management needs to understand what is going on.

•  So how do you dig deep into this enough to provide what they need? ▫  What metrics do you provide today? ▫  Do you explain what they mean? ▫  Better yet- are you sure they understand what they

mean?

SOX

•  Tracking of security incidents •  Typically, this is just a process to show that

1)  You report security incidents 2)  You track them

•  But do you actually do anything like: ▫  Prepare ▫  Detect/Analyze ▫  Contain/Eradicate/Recover ▫  Post-mortem/Remediation

Top priorities

•  Use application “whitelisting” to help prevent malicious software and other unapproved programs from running.

•  Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, and web browsers. These applications are in daily use in most companies.

•  Patch operating system vulnerabilities, for the same reasons discussed above.

•  Minimize the number of users with administrative privileges, the highest level of authority to make changes or undertake actions on a network.

OK, great, now you have it

• But does anyone else? • How do you translate what you just did into

something management understands. • Get out the risk decoder ring!

First, let’s try to explain the difference •  Security- protects stuff • Compliance- necessary due diligence- a cost of

doing business • But, we can reduce risk to the business by

prioritizing both

What risks are truly at stake?

•  Tripwire/Poneman Institute paper says non-compliance far outweighs cost of compliance

•  So show that value •  Publish metrics: ▫  I bet an astounding number of spam and other

malicious emails get blocked every day ▫  How much do your WAFs block every day? ▫  DLP tools? ▫  What volume of log files are reviewed daily?

Also…

• Do a real risk assessment. Full stop. ▫  Don’t just do a random risk register ▫  Stand back and take a look at the whole business

from a security perspective ▫  This is one where you don’t want too much in the

weeds… ▫  But enough to express the bad stuff

For example

• Do your developers push code directly into production without change management?

• Do you know what really goes on inside your network?

• How about what actually leaves your network? • Have you looked at indicators of compromise?

Align with business risk

•  IT risk should be hand in hand with other areas- like operational, reputational, financial risk

•  If you don’t know what these are- start asking people who would know

• Be prepared to show how your program ties back •  Let’s look at an example

Third party risk assessments

•  Should not only be for IT (and if they are…run away!)

•  Should start with the business risks and include a component of IT risk

•  IT risk may indicate problems where others aren’t looking:

•  Like a partner whose domain name is registered in the Ukraine

In summary

• What have we learned? •  Time for the game of

Resources

•  http://csis.org/publication/raising-bar-cybersecurity

•  http://www.tripwire.com/tripwire/assets/File/ponemon/True_Cost_of_Compliance_Report.pdf