With mounting regulatory pressure, and the sheer number of vulnerabilities on the rise, organizations today must have a mechanism in place to monitor and audit themselves to ensure compliance with their own policies and standards – as well as any applicable regulation. Thus the importance of good Compliance Reporting! Before any type of meaningful reporting can be constructed – there are a few key things to consider:
Information Security Policy:
Do you have an information security policy in place? If you do…is it measurable? If you’re struggling in this area…you’re not alone! A good set of measurable policies (controls) can be quickly established leveraging “security best practices” – which is a great place to start. There are many directions you could take at this juncture (in terms of a standard of reference), but the direction I would recommend taking leverages one of the most widely recognized policy frameworks available – which is the ISO standard (http://www.iso.org/iso/home.htm) The ISO standard consists of a well understood set of controls and objectives, which can be used to establish and measure control (or policy) effectiveness – and thus measure the level of compliance.
Assess Your Risk:
Once your policy is in place, you need a means to accurately assess your risk, and determine any deficiencies or issues that may cause you to drift into a non-compliant state. This is where automation comes in! With good automated tools…you can quickly (with very little user impact) assess your level of risk. In order to get the best possible results, the frequency at which these assessments occur is very important. Anything less than a quarterly assessment – puts you in a very vulnerable position, so the more frequent, the better! Much like the value of any financial statement (in this case a “security balance sheet”) – frequent vulnerability assessments provide a picture in time of your current state. So what’s important at this stage is the ability to establish a regimented, automated process which will ensure an accurate assessment of your current level of risk, while at the same time allowing you to actively address any issues in a timely fashion.
Automate Remediation of Discovered Risks:
Next up (and this is very important) is the ability to automate the remediation of any discovered form of risk. Good reporting, absent of the ability to remediate is like eating French fries without ketchup…it still tastes good, but you sense something important is missing. Without remediation…the function of compliance reporting becomes less than automatic. Once the assessment of risk is complete and risks identified…if there isn’t some form of automated remediation in place…the remediation process gets bogged down, and the chance for errors (especially if humans are involved) goes way up! Reporting (post assessment) will clearly illustrate the potential for risk. The ability to take some form of actionable, automated steps to solve matters presents enormous value. It can also have a direct impact any organizations ability to proactively address any sudden, unexpected issues (example: Conficker). Interesting link: http://shavlik.typepad.com/mark_shavliks_blog/2009/03/confickerc-will-this-virus-make-us-april-fools.html.
Now, with your policies in place, and the assessment and remediation process well defined, we can now move on the all important “Compliance Report”. Reporting is only as good as the accuracy of the data being reported, not forgetting the importance of its “consumability”. Whether the report is for internal use, or something that will be used to address the requirements of the most stringent of auditors…it has to be comprehensive, easy to understand, and most importantly easy to generate. Falling back on what I discussed earlier, a well establish set of policies that leverage any form of well recognized framework standard (like ISO), creates clear measurability – which is the basis for good compliance reporting.
So…in closing, good compliance reporting, supported by the right levels of automation is critical. With measurability comes proof, and with proof – compliance can’t be far behind!